CVE-2023-27562 — MEDIUM (CVSS 6.5) AI Security Vulnerability

CISO Take

Any authenticated n8n user (low privilege) can traverse the file system and read arbitrary files on the server — including workflow configs that commonly store API keys for OpenAI, Anthropic, and other AI services. If n8n is deployed in your AI agent stack, treat all secrets stored in workflows as potentially compromised and rotate them. Upgrade to a version past 0.218.0 immediately.

Risk Assessment

CVSS 6.5 understates the real-world risk in AI pipeline contexts. n8n instances routinely hold credentials for dozens of downstream AI services embedded in workflow nodes. A low-privilege insider or compromised account can silently exfiltrate all of them via a single HTTP request. No user interaction required and network-accessible makes this trivially weaponizable. The absence of KEV listing does not imply low exploitation activity — PoC details are publicly documented in the Synacktiv advisory.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	—	No patch
186.5K OpenSSF 6.0 16 dependents Pushed 6d ago 40% patched ~3d to patch Full package profile →

Do you use n8n? You're affected.

Severity & Risk

CVSS 3.1

6.5 / 10

EPSS

1.1%

chance of exploitation in 30 days

Higher than 78% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I None

A None

Recommended Action

6 steps

Patch: Upgrade n8n to the latest release immediately (0.218.0 is the vulnerable version; check n8n GitHub releases for the fix commit).
Rotate all credentials: Assume any API key, DB password, or OAuth token stored in n8n workflow nodes is compromised — revoke and reissue.
Network isolation: n8n should never be internet-facing; restrict to internal networks or VPN.
Least-privilege: Audit which users have n8n access; revoke unused accounts.
Detection: Search web server access logs for path patterns containing '../' or URL-encoded equivalents (%2e%2e%2f) targeting n8n endpoints.
Secrets management: Migrate workflow credentials to a proper vault (HashiCorp Vault, AWS Secrets Manager) rather than storing in n8n's built-in credential store.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Auth Bypass Agent Framework AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0055 - Unsecured Credentials AML.T0083 - Credentials from AI Agent Configuration

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.7 - AI system operation and monitoring A.9.2 - Information security for AI systems

NIST AI RMF

MANAGE-2.2 - Mechanisms to manage AI risks

OWASP LLM Top 10

LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2023-27562?

Any authenticated n8n user (low privilege) can traverse the file system and read arbitrary files on the server — including workflow configs that commonly store API keys for OpenAI, Anthropic, and other AI services. If n8n is deployed in your AI agent stack, treat all secrets stored in workflows as potentially compromised and rotate them. Upgrade to a version past 0.218.0 immediately.

Is CVE-2023-27562 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-27562, increasing the risk of exploitation.

How to fix CVE-2023-27562?

1. Patch: Upgrade n8n to the latest release immediately (0.218.0 is the vulnerable version; check n8n GitHub releases for the fix commit). 2. Rotate all credentials: Assume any API key, DB password, or OAuth token stored in n8n workflow nodes is compromised — revoke and reissue. 3. Network isolation: n8n should never be internet-facing; restrict to internal networks or VPN. 4. Least-privilege: Audit which users have n8n access; revoke unused accounts. 5. Detection: Search web server access logs for path patterns containing '../' or URL-encoded equivalents (%2e%2e%2f) targeting n8n endpoints. 6. Secrets management: Migrate workflow credentials to a proper vault (HashiCorp Vault, AWS Secrets Manager) rather than storing in n8n's built-in credential store.

What systems are affected by CVE-2023-27562?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, RAG pipelines, model serving, training pipelines.

What is the CVSS score for CVE-2023-27562?

CVE-2023-27562 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 1.07%.

Technical Details

NVD Description

The n8n package 0.218.0 for Node.js allows Directory Traversal.

Exploitation Scenario

An adversary with a low-privilege n8n account (or a compromised employee credential) sends a crafted HTTP request to the n8n API with a directory traversal payload in the file path parameter. By navigating to ../../../../etc/passwd or targeting n8n's own configuration directory, they enumerate the system layout. They then target ~/.n8n/config or workflow export files to extract all stored credentials in plaintext. With OpenAI API keys in hand, they can exfiltrate data via the AI inference API, run costly inference at the victim's expense, or pivot to other services using the harvested secrets. The entire attack chain requires no special tooling — curl is sufficient.