AI Threat Alert

CVE-2023-27563: n8n: privilege escalation exposes full workflow admin

HIGH PoC AVAILABLE CISA: ATTEND
Published May 10, 2023
CISO Take

Any authenticated n8n user — including low-privilege API tokens or shared team accounts — can escalate to full admin in v0.218.0, with a published exploit available. Since n8n routinely stores API keys for OpenAI, AWS, and internal services, a single compromised low-privilege account translates directly into credential exfiltration across every connected service. Patch immediately and rotate all credentials stored in n8n as potentially compromised.

What is the risk?

HIGH risk with immediate operational exposure. CVSS 8.8 reflects a near-trivial exploitation path: network-accessible, low complexity, requires only a basic account. The Synacktiv advisory confirms a working exploit exists. n8n is widely deployed as the orchestration layer for AI automation pipelines, often holding privileged access to LLM APIs, cloud credentials, and internal data sources. The combination of low-barrier escalation and high-value credential stores makes this a priority target for opportunistic threat actors targeting AI infrastructure.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
n8n npm No patch
193.4K OpenSSF 6.6 Pushed 3d ago 55% patched ~7d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1
8.8 / 10
EPSS
1.2%
chance of exploitation in 30 days
Higher than 65% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

What should I do?

5 steps

  1. PATCH IMMEDIATELY

    Upgrade n8n to the latest version (review github.com/n8n-io/n8n/releases for patched release).

  2. ROTATE ALL CREDENTIALS

    Treat every credential stored in n8n — AI API keys, DB passwords, cloud tokens, webhook secrets — as compromised, regardless of evidence of exploitation.

  3. AUDIT ACCESS LOGS

    Review n8n activity logs for unexpected admin-level actions performed by non-admin accounts; flag any credential exports or workflow modifications.

  4. ISOLATE IF UNPATCHED

    If immediate patching is not possible, restrict n8n to an IP allowlist, revoke all non-essential accounts, and disable public registration.

  5. DETECT POST-EXPLOITATION: Alert on admin role changes, new credential creation, or new workflow triggers not matching approved baselines.

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass Code Execution Data Extraction Agent Framework API AML.T0012 AML.T0049 AML.T0053 AML.T0081 AML.T0083

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art.15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.1 - AI risk management process
NIST AI RMF
MANAGE-2.2 - Mechanisms to sustain identified risk responses
OWASP LLM Top 10
LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2023-27563?

Any authenticated n8n user — including low-privilege API tokens or shared team accounts — can escalate to full admin in v0.218.0, with a published exploit available. Since n8n routinely stores API keys for OpenAI, AWS, and internal services, a single compromised low-privilege account translates directly into credential exfiltration across every connected service. Patch immediately and rotate all credentials stored in n8n as potentially compromised.

Is CVE-2023-27563 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-27563, increasing the risk of exploitation.

How to fix CVE-2023-27563?

1. PATCH IMMEDIATELY: Upgrade n8n to the latest version (review github.com/n8n-io/n8n/releases for patched release). 2. ROTATE ALL CREDENTIALS: Treat every credential stored in n8n — AI API keys, DB passwords, cloud tokens, webhook secrets — as compromised, regardless of evidence of exploitation. 3. AUDIT ACCESS LOGS: Review n8n activity logs for unexpected admin-level actions performed by non-admin accounts; flag any credential exports or workflow modifications. 4. ISOLATE IF UNPATCHED: If immediate patching is not possible, restrict n8n to an IP allowlist, revoke all non-essential accounts, and disable public registration. 5. DETECT POST-EXPLOITATION: Alert on admin role changes, new credential creation, or new workflow triggers not matching approved baselines.

What systems are affected by CVE-2023-27563?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI workflow automation, RAG pipelines, model serving.

What is the CVSS score for CVE-2023-27563?

CVE-2023-27563 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 1.22%.

What is the AI security impact?

Affected AI Architectures

agent frameworksAI workflow automationRAG pipelinesmodel serving

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0049 Exploit Public-Facing Application
AML.T0053 AI Agent Tool Invocation
AML.T0081 Modify AI Agent Configuration
AML.T0083 Credentials from AI Agent Configuration

Compliance Controls Affected

EU AI Act: Art.15
ISO 42001: A.6.1
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

The n8n package 0.218.0 for Node.js allows Escalation of Privileges.

Exploitation Scenario

An attacker registers or obtains any valid n8n account — through credential stuffing on a public-facing instance, a compromised contractor token, or social engineering a team member. Using crafted API requests described in the Synacktiv advisory, they escalate their session to admin privileges. As admin, they navigate to the Credentials vault and extract all stored API keys for OpenAI, AWS, internal databases, and webhook endpoints. They then silently modify an existing AI workflow — for example, a document summarization pipeline feeding an LLM — to forward all processed documents to an attacker-controlled endpoint. The attack leaves no obvious user-facing indicators and can persist indefinitely until the workflow is manually reviewed.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
May 10, 2023
Last Modified
January 27, 2025
First Seen
May 10, 2023

Related Vulnerabilities

CRITICAL CVE-2026-33663 10.0

n8n: member role steals plaintext HTTP credentials

Same package: n8n
CRITICAL CVE-2026-33660 10.0

TensorFlow: type confusion NPD in tensor conversion

Same package: n8n
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same package: n8n
CRITICAL CVE-2026-27577 9.9

n8n: Code Injection enables RCE

Same package: n8n
CRITICAL CVE-2026-27494 9.9

n8n: security flaw enables exploitation

Same package: n8n
Back to Threat Feed