AI Threat Alert

CVE-2023-27564: n8n: unauthenticated info disclosure exposes credentials

HIGH PoC AVAILABLE CISA: TRACK*
Published May 10, 2023
CISO Take

n8n is widely deployed as an AI agent orchestration and workflow automation platform, making this unauthenticated information disclosure (CVSS 7.5, no auth/interaction required) a high-priority finding. Attackers can remotely extract sensitive data including API keys, credentials, and workflow configurations stored in n8n—effectively compromising every downstream AI service the platform connects to. Patch to a version past 0.218.0 immediately and audit all internet-exposed n8n instances.

What is the risk?

High risk for organizations using n8n in AI/ML pipelines. The CVSS vector (AV:N/AC:L/PR:N/UI:N/C:H) indicates trivial remote exploitation requiring no authentication—this is a drive-by exfiltration scenario. n8n instances are frequently internet-exposed by design (webhooks, integrations), and the platform stores credentials for dozens of external services including AI APIs (OpenAI, Anthropic, HuggingFace). A single exposed instance can cascade into full compromise of the organization's AI service stack.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
n8n npm No patch
193.4K OpenSSF 6.6 Pushed 3d ago 55% patched ~7d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1
7.5 / 10
EPSS
1.2%
chance of exploitation in 30 days
Higher than 65% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I None
A None

What should I do?

6 steps

  1. PATCH

    Upgrade n8n past 0.218.0 immediately—check https://github.com/n8n-io/n8n/releases for patched version.

  2. NETWORK

    Place n8n behind a VPN or firewall; it should never be directly internet-exposed unless webhooks are explicitly required.

  3. ROTATE

    Rotate all credentials stored in n8n workflows (API keys, OAuth tokens, DB passwords) after patching.

  4. AUDIT

    Review n8n access logs for suspicious GET requests that may indicate prior exploitation.

  5. DETECTION

    Alert on unauthenticated API calls to n8n endpoints returning large payloads.

  6. HARDEN

    Enable n8n's built-in authentication (basic auth or SSO) if not already enforced.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Data Leakage Auth Bypass Agent Framework API AML.T0025 AML.T0049 AML.T0055 AML.T0083 AML.T0084

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.9.4 - Information security for AI systems
NIST AI RMF
MANAGE 2.2 - Risk treatment — AI system vulnerabilities and incidents
OWASP LLM Top 10
LLM06:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2023-27564?

n8n is widely deployed as an AI agent orchestration and workflow automation platform, making this unauthenticated information disclosure (CVSS 7.5, no auth/interaction required) a high-priority finding. Attackers can remotely extract sensitive data including API keys, credentials, and workflow configurations stored in n8n—effectively compromising every downstream AI service the platform connects to. Patch to a version past 0.218.0 immediately and audit all internet-exposed n8n instances.

Is CVE-2023-27564 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-27564, increasing the risk of exploitation.

How to fix CVE-2023-27564?

1. PATCH: Upgrade n8n past 0.218.0 immediately—check https://github.com/n8n-io/n8n/releases for patched version. 2. NETWORK: Place n8n behind a VPN or firewall; it should never be directly internet-exposed unless webhooks are explicitly required. 3. ROTATE: Rotate all credentials stored in n8n workflows (API keys, OAuth tokens, DB passwords) after patching. 4. AUDIT: Review n8n access logs for suspicious GET requests that may indicate prior exploitation. 5. DETECTION: Alert on unauthenticated API calls to n8n endpoints returning large payloads. 6. HARDEN: Enable n8n's built-in authentication (basic auth or SSO) if not already enforced.

What systems are affected by CVE-2023-27564?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI workflow orchestration, RAG pipelines, model serving integrations, no-code AI automation.

What is the CVSS score for CVE-2023-27564?

CVE-2023-27564 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 1.21%.

What is the AI security impact?

Affected AI Architectures

agent frameworksAI workflow orchestrationRAG pipelinesmodel serving integrationsno-code AI automation

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means
AML.T0049 Exploit Public-Facing Application
AML.T0055 Unsecured Credentials
AML.T0083 Credentials from AI Agent Configuration
AML.T0084 Discover AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.9.4
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM06:2025

What are the technical details?

Original Advisory

The n8n package 0.218.0 for Node.js allows Information Disclosure.

Exploitation Scenario

An adversary scans the internet for exposed n8n instances (Shodan/Censys query trivial). Against a vulnerable 0.218.0 instance, they issue unauthenticated HTTP requests to exploit the information disclosure endpoint documented in Synacktiv's advisory, extracting the stored credentials database. This yields API keys for OpenAI, Anthropic, Pinecone, and other AI services configured in workflows. The adversary then uses these keys to: (a) abuse AI APIs at victim's expense, (b) exfiltrate data from connected RAG/vector databases, (c) inject malicious instructions into automated AI workflows by replaying webhook triggers with stolen secrets. Full AI pipeline compromise in under 15 minutes from initial scan.

Weaknesses (CWE)

CWE-668 Exposure of Resource to Wrong Sphere Primary

CWE-668 — Exposure of Resource to Wrong Sphere: The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

Timeline

Published
May 10, 2023
Last Modified
January 27, 2025
First Seen
May 10, 2023

Related Vulnerabilities

CRITICAL CVE-2026-33663 10.0

n8n: member role steals plaintext HTTP credentials

Same package: n8n
CRITICAL CVE-2026-33660 10.0

TensorFlow: type confusion NPD in tensor conversion

Same package: n8n
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same package: n8n
CRITICAL CVE-2026-27577 9.9

n8n: Code Injection enables RCE

Same package: n8n
CRITICAL CVE-2026-27494 9.9

n8n: security flaw enables exploitation

Same package: n8n
Back to Threat Feed