CVE-2025-46343 — MEDIUM (CVSS 5.4) AI Security Vulnerability

CISO Take

If your team uses n8n for AI workflow automation, patch to v1.90.0 immediately. Any authenticated member can upload a crafted HTML file and hijack another user's session—including admins—leading to full account takeover and access to every workflow, API key, and connected system. The CVSS 5.4 score severely understates the blast radius: n8n is an AI agent orchestrator with broad system access, making credential theft here a pivot into your entire AI stack.

Risk Assessment

Effective risk is elevated well above CVSS 5.4 in AI/automation environments. n8n workflows routinely hold API keys for LLM providers, database credentials, and webhook secrets. Account takeover translates directly to lateral movement into every connected system. Attack complexity is low—standard XSS techniques, no AI/ML expertise required, and the member-level access requirement is a low bar in most organizations (contractors, onboarded developers, compromised accounts). Not in CISA KEV and no public exploitation reported, but PoC development is trivial given the detailed advisory.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	—	No patch
186.5K OpenSSF 6.0 16 dependents Pushed 6d ago 40% patched ~3d to patch Full package profile →

Do you use n8n? You're affected.

Severity & Risk

CVSS 3.1

5.4 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 33% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR Low

UI Required

S Changed

C Low

I Low

A None

Recommended Action

6 steps

Patch immediately: upgrade to n8n v1.90.0 or later—this is the only complete fix.
Review audit logs for HTML file uploads to binary storage endpoints and GET requests with mimeType=text/html parameters—these are IoCs for active exploitation attempts.
Apply least privilege: restrict member-level write access to binary upload functionality where not operationally required.
Enforce Content-Security-Policy headers on self-hosted instances as a compensating control.
Rotate all API keys and credentials stored in n8n workflow credentials if exploitation is suspected or confirmed.
If immediate patching is not possible, disable binary file sharing features or restrict network access to the attachments endpoint.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass Code Execution Agent Framework AML.T0011 - User Execution AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0081 - Modify AI Agent Configuration

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.6.1.2 - AI system security

NIST AI RMF

MANAGE 4.1 - Post-deployment AI risks and benefits are evaluated and responded to

OWASP LLM Top 10

LLM07:2025 - System Prompt Leakage

Frequently Asked Questions

What is CVE-2025-46343?

If your team uses n8n for AI workflow automation, patch to v1.90.0 immediately. Any authenticated member can upload a crafted HTML file and hijack another user's session—including admins—leading to full account takeover and access to every workflow, API key, and connected system. The CVSS 5.4 score severely understates the blast radius: n8n is an AI agent orchestrator with broad system access, making credential theft here a pivot into your entire AI stack.

Is CVE-2025-46343 actively exploited?

No confirmed active exploitation of CVE-2025-46343 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-46343?

1. Patch immediately: upgrade to n8n v1.90.0 or later—this is the only complete fix. 2. Review audit logs for HTML file uploads to binary storage endpoints and GET requests with mimeType=text/html parameters—these are IoCs for active exploitation attempts. 3. Apply least privilege: restrict member-level write access to binary upload functionality where not operationally required. 4. Enforce Content-Security-Policy headers on self-hosted instances as a compensating control. 5. Rotate all API keys and credentials stored in n8n workflow credentials if exploitation is suspected or confirmed. 6. If immediate patching is not possible, disable binary file sharing features or restrict network access to the attachments endpoint.

What systems are affected by CVE-2025-46343?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI orchestration layers, LLM integration pipelines, workflow automation, RAG pipelines.

What is the CVSS score for CVE-2025-46343?

CVE-2025-46343 has a CVSS v3.1 base score of 5.4 (MEDIUM). The EPSS exploitation probability is 0.14%.

Technical Details

NVD Description

n8n is a workflow automation platform. Prior to version 1.90.0, n8n is vulnerable to stored cross-site scripting (XSS) through the attachments view endpoint. n8n workflows can store and serve binary files, which are accessible to authenticated users. However, there is no restriction on the MIME type of uploaded files, and the MIME type could be controlled via a GET parameter. This allows the server to respond with any MIME type, potentially enabling malicious content to be interpreted and executed by the browser. An authenticated attacker with member-level permissions could exploit this by uploading a crafted HTML file containing malicious JavaScript. When another user visits the binary data endpoint with the MIME type set to text/html, the script executes in the context of the user’s session. This script could send a request to change the user’s email address in their account settings, effectively enabling account takeover. This issue has been patched in version 1.90.0.

Exploitation Scenario

An attacker with member-level n8n credentials—acquired via phishing, credential stuffing, or a compromised contractor account—uploads an HTML file containing JavaScript that POSTs to the n8n account settings API to change an admin's email address. The attacker crafts a URL pointing to the binary data endpoint with ?mimeType=text/html appended and socially engineers an admin into visiting it via a shared workflow link or internal message. The script executes silently in the admin's authenticated browser session, replaces their email with the attacker's, and triggers a password reset. With full admin access, the attacker modifies AI agent workflows to exfiltrate data, steals API keys for connected LLM providers, and uses n8n's broad integration access to pivot into downstream systems—databases, cloud storage, SaaS platforms—all without triggering traditional intrusion detection.