A critical vulnerability has been identified in the n8n open-source workflow automation platform, assigned a maximum severity score of 10.0. This flaw allows an unauthenticated remote attacker to access and read any file on the server by exploiting certain form-based workflows. Successful exploitation could lead to the complete compromise of sensitive data, credentials, and system configuration files, posing a severe risk to the organization.

The vulnerability exists within the processing of form-based workflows in the n8n platform. A lack of proper input validation and path sanitization allows a remote, unauthenticated attacker to craft a malicious request containing path traversal sequences (e.g., ../). By submitting this crafted request to a vulnerable workflow endpoint, the attacker can break out of the intended directory and navigate the server's file system, enabling them to read arbitrary files to which the n8n process has access.

This vulnerability is rated as critical severity with a CVSS score of 10.0, representing the highest possible risk. Exploitation by an unauthenticated attacker could lead to severe business consequences, including a major data breach through the theft of sensitive corporate data, customer information, intellectual property, or API keys. Access to configuration files or private credentials (such as SSH keys) could allow an attacker to escalate privileges, move laterally across the network, and achieve a full system compromise. Such an incident would likely result in significant financial loss, reputational damage, and potential regulatory fines for non-compliance with data protection standards.

Immediate Action: Immediately update all instances of n8n to the patched version 1.121.0 or later. Prioritize patching for all internet-facing systems. After patching, review web server and application access logs for any signs of exploitation attempts that may have occurred prior to remediation.

Proactive Monitoring:

• Log Analysis: Scrutinize web server and n8n application logs for requests to form-based workflow endpoints containing directory traversal patterns such as ../, ..%2f, or ..\.
• File Integrity Monitoring (FIM): Monitor for unauthorized access attempts to sensitive system files and configuration directories (e.g., /etc/passwd, .env files, SSH keys).
• Network Monitoring: Watch for unusual outbound network traffic from n8n servers, which could indicate data exfiltration.

Compensating Controls: If immediate patching is not feasible, implement the following controls:

• Web Application Firewall (WAF): Deploy a WAF with rules specifically designed to detect and block path traversal attack patterns in HTTP requests.
• Access Restriction: Limit network access to the n8n application to only trusted IP ranges, and if possible, place it behind a VPN or other authenticated access gateway.
• Disable Public Workflows: Temporarily disable any publicly accessible, unauthenticated, form-based workflows until the system can be patched.

Public Exploit Available: false

This vulnerability represents a critical and immediate threat to the organization. With a maximum CVSS score of 10.0, it allows for a complete compromise of confidentiality from a remote, unauthenticated position. Although not currently listed in the CISA KEV catalog, its severity makes it a prime candidate for future inclusion. We strongly recommend that all organizations using affected versions of n8n treat this as an emergency and apply the update to version 1.121.0 or later immediately, focusing first on systems exposed to the internet.