AI Threat Alert
CVE-2023-27562: n8n: path traversal allows arbitrary file read
MEDIUM PoC AVAILABLE CISA: TRACK*Any authenticated n8n user (low privilege) can traverse the file system and read arbitrary files on the server — including workflow configs that commonly store API keys for OpenAI, Anthropic, and other AI services. If n8n is deployed in your AI agent stack, treat all secrets stored in workflows as potentially compromised and rotate them. Upgrade to a version past 0.218.0 immediately.
What is the risk?
CVSS 6.5 understates the real-world risk in AI pipeline contexts. n8n instances routinely hold credentials for dozens of downstream AI services embedded in workflow nodes. A low-privilege insider or compromised account can silently exfiltrate all of them via a single HTTP request. No user interaction required and network-accessible makes this trivially weaponizable. The absence of KEV listing does not imply low exploitation activity — PoC details are publicly documented in the Synacktiv advisory.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| n8n | npm | — | No patch |
Do you use n8n? You're affected.
How severe is it?
What is the attack surface?
What should I do?
6 steps-
Patch: Upgrade n8n to the latest release immediately (0.218.0 is the vulnerable version; check n8n GitHub releases for the fix commit).
-
Rotate all credentials: Assume any API key, DB password, or OAuth token stored in n8n workflow nodes is compromised — revoke and reissue.
-
Network isolation: n8n should never be internet-facing; restrict to internal networks or VPN.
-
Least-privilege: Audit which users have n8n access; revoke unused accounts.
-
Detection: Search web server access logs for path patterns containing '../' or URL-encoded equivalents (%2e%2e%2f) targeting n8n endpoints.
-
Secrets management: Migrate workflow credentials to a proper vault (HashiCorp Vault, AWS Secrets Manager) rather than storing in n8n's built-in credential store.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2023-27562?
Any authenticated n8n user (low privilege) can traverse the file system and read arbitrary files on the server — including workflow configs that commonly store API keys for OpenAI, Anthropic, and other AI services. If n8n is deployed in your AI agent stack, treat all secrets stored in workflows as potentially compromised and rotate them. Upgrade to a version past 0.218.0 immediately.
Is CVE-2023-27562 actively exploited?
Proof-of-concept exploit code is publicly available for CVE-2023-27562, increasing the risk of exploitation.
How to fix CVE-2023-27562?
1. Patch: Upgrade n8n to the latest release immediately (0.218.0 is the vulnerable version; check n8n GitHub releases for the fix commit). 2. Rotate all credentials: Assume any API key, DB password, or OAuth token stored in n8n workflow nodes is compromised — revoke and reissue. 3. Network isolation: n8n should never be internet-facing; restrict to internal networks or VPN. 4. Least-privilege: Audit which users have n8n access; revoke unused accounts. 5. Detection: Search web server access logs for path patterns containing '../' or URL-encoded equivalents (%2e%2e%2f) targeting n8n endpoints. 6. Secrets management: Migrate workflow credentials to a proper vault (HashiCorp Vault, AWS Secrets Manager) rather than storing in n8n's built-in credential store.
What systems are affected by CVE-2023-27562?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, RAG pipelines, model serving, training pipelines.
What is the CVSS score for CVE-2023-27562?
CVE-2023-27562 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 2.32%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0037 Data from Local System AML.T0049 Exploit Public-Facing Application AML.T0053 AI Agent Tool Invocation AML.T0055 Unsecured Credentials AML.T0083 Credentials from AI Agent Configuration Compliance Controls Affected
What are the technical details?
Original Advisory
The n8n package 0.218.0 for Node.js allows Directory Traversal.
Exploitation Scenario
An adversary with a low-privilege n8n account (or a compromised employee credential) sends a crafted HTTP request to the n8n API with a directory traversal payload in the file path parameter. By navigating to ../../../../etc/passwd or targeting n8n's own configuration directory, they enumerate the system layout. They then target ~/.n8n/config or workflow export files to extract all stored credentials in plaintext. With OpenAI API keys in hand, they can exfiltrate data via the AI inference API, run costly inference at the victim's expense, or pivot to other services using the harvested secrets. The entire attack chain requires no special tooling — curl is sufficient.
Weaknesses (CWE)
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Primary
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
- [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
- [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N References
Timeline
Related Vulnerabilities
CVE-2026-33663 10.0 n8n: member role steals plaintext HTTP credentials
Same package: n8n CVE-2026-33660 10.0 TensorFlow: type confusion NPD in tensor conversion
Same package: n8n CVE-2026-21858 10.0 n8n: Input Validation flaw enables exploitation
Same package: n8n CVE-2026-27577 9.9 n8n: Code Injection enables RCE
Same package: n8n CVE-2026-27494 9.9 n8n: security flaw enables exploitation
Same package: n8n