Pillar Security Discovered Critical Flaw in n8n Exposing Hundreds of Thousands of Enterprise AI Systems to Complete Takeover

MIAMI--(BUSINESS WIRE)--Pillar Security, a pioneering company in AI security, today disclosed critical sandbox escape vulnerabilities in n8n, the open-source workflow automation platform powering hundreds of thousands of enterprise deployments worldwide. The vulnerabilities, assigned a maximum CVSS score of 10.0 (Critical), allowed any authenticated user to achieve complete server control and steal every stored credential, API key, and secret on both self-hosted and cloud instances.

This discovery is particularly significant given n8n's role as the connective tissue of enterprise AI infrastructure, orchestrating agentic workflows and LLM-powered applications. The platform has become essential for organizations deploying AI at scale, making the exposure of AI API keys, vector database credentials, and proprietary prompts especially concerning.

"What makes these vulnerabilities particularly dangerous is the combination of ease of exploitation and the high-value targets they expose," said Eilon Cohen, AI Security Researcher at Pillar Security. "If you can create a workflow in n8n, you can own the server. For attackers, this means access to OpenAI keys, Anthropic credentials, AWS accounts, and the ability to intercept or modify AI interactions in real-time – all while the workflows continue functioning normally."

Key Findings:

• Maximum Severity: CVSS 10.0 Critical score (Advisory: GHSA-6cqr-8cfr-67f8)
• Trivial Exploitation: Any authenticated user can execute arbitrary system commands through malicious expressions – no special privileges required
• Complete Credential Exposure: Access to N8N_ENCRYPTION_KEY enables decryption of all stored credentials including AI API keys, cloud provider keys, database passwords, and OAuth tokens
• AI Pipeline Hijacking: Attackers can intercept prompts, modify AI responses, redirect traffic through attacker-controlled endpoints, and exfiltrate sensitive data from AI interactions
• Multi-Tenant Cloud Risk: On n8n Cloud, a single compromised user could potentially access shared infrastructure and other customers' data within the Kubernetes cluster
• Rapid Exploit Evolution: Second vulnerability discovered 24 hours after initial patch was deployed, bypassing the first fix

Who is Affected?

The vulnerabilities affect all n8n users prior to version 2.4.0, including:

1. Self-Hosted Deployments: Complete server compromise with access to all environment variables, credentials, and connected systems
2. n8n Cloud Users: Multi-tenant environment risks with potential access to internal services
3. AI-First Organizations: Companies using n8n for AI orchestration face exposure of OpenAI, Anthropic, Azure OpenAI, and Hugging Face credentials, plus vector database access (Pinecone, Weaviate, Qdrant)

Attack Scenarios

The research identified several high-impact attack patterns:

• Credential Harvesting: Extract and decrypt all stored credentials using the compromised n8n encryption key
• AI Man-in-the-Middle: Modify workflow configurations to route AI requests through attacker-controlled proxies, intercepting all prompts and responses
• Workflow Poisoning: Inject data exfiltration into existing workflows that continue functioning normally while copying sensitive data
• Supply Chain Compromise: Distribute malicious workflow templates that contain embedded exploits
• Lateral Movement: Use stolen cloud credentials to pivot to connected cloud providers’ environments

Mitigation

Pillar Security strongly recommends the following immediate actions:

1. Upgrade Immediately: Update to n8n version 2.4.0 or later
2. Rotate Encryption Key: If running an affected version, rotate n8n encryption key
3. Rotate All Credentials: Assume stored credentials may have been compromised and rotate them
4. Audit Workflows: Review workflow execution logs for suspicious expressions or unexpected behavior
5. Monitor AI Workflows: Watch for unusual patterns like base URL changes, new outbound connections, or modified prompts

Following responsible disclosure practices, Pillar Security reported both vulnerabilities to n8n with security guidance on code fixes, who responded rapidly with patches during the holiday season, releasing version 2.4.0 with fixes in January 2026.

Link to full technical report: www.pillar.security/blog/n8n-sandbox-escape-critical-vulnerabilities-in-n8n-exposes-hundreds-of-thousands-of-enterprise-ai-systems-to-complete-takeover

About Pillar

Pillar Security is a leading AI security platform, providing companies with full visibility and control to build and run secure AI systems. Founded by experts in offensive and defensive cybersecurity, Pillar secures the entire AI lifecycle, from development to deployment – through AI Discovery, AI Security Posture Management (AI-SPM), AI Red Teaming, and Adaptive Runtime Guardrails.

Pillar empowers organizations to prevent data leakage, neutralize AI-specific threats, and comply with evolving regulations. The platform is trusted by global enterprises and serves customers analyzing millions of prompts monthly and scanning tens of thousands of code repositories.

Powered by real-world threat intelligence and advanced adversarial research, Pillar leverages insights from analyzing millions of AI interactions, scanning tens of thousands of repositories, and continuously testing production AI systems to deliver precise threat detection, adaptive protection, and validated security assessments.