AI Threat Alert

CVE-2025-55526: n8n-workflows: path traversal in download_workflow endpoint

CRITICAL PoC AVAILABLE CISA: ATTEND
Published August 26, 2025
CISO Take

A critical unauthenticated directory traversal (CVSS 9.1) in n8n-workflows allows any remote attacker to read and overwrite arbitrary server files — no credentials, no user interaction required. If your AI automation stack runs this component exposed to any network, treat this as immediate compromise risk: workflow files routinely contain API keys, LLM provider tokens, and database credentials. Isolate the service behind a VPN or firewall now; no patch exists yet.

What is the risk?

Extremely high exploitability: network-accessible, low complexity, zero authentication, zero user interaction (AV:N/AC:L/PR:N/UI:N). High confidentiality AND integrity impact means attackers can both exfiltrate sensitive data and tamper with workflow configurations. n8n-workflows is commonly internet-exposed in automation and AI agent deployments, making this broadly exploitable by unsophisticated threat actors. No patch or fixed version is currently available, extending the exposure window.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
n8n npm No patch
193.4K OpenSSF 6.6 Pushed 3d ago 55% patched ~7d to patch Full package profile →
n8n npm No patch
193.4K OpenSSF 6.6 Pushed 3d ago 55% patched ~7d to patch Full package profile →
n8n npm No patch
193.4K OpenSSF 6.6 Pushed 3d ago 55% patched ~7d to patch Full package profile →

How severe is it?

CVSS 3.1
9.1 / 10
EPSS
0.8%
chance of exploitation in 30 days
Higher than 50% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A None

What should I do?

6 steps

  1. IMMEDIATE

    Restrict network access to the n8n-workflows API server — place behind VPN, firewall, or internal-only network. Block public exposure of port 8000/8080 (uvicorn default).

  2. AUDIT

    Check workflow configuration files and server logs for unexpected file access patterns (paths containing ../, %2e%2e, or absolute paths).

  3. ROTATE

    Assume all secrets stored in workflow files on exposed instances are compromised — rotate API keys, DB credentials, webhook tokens.

  4. MONITOR

    Alert on HTTP requests to the download_workflow endpoint containing traversal sequences.

  5. No official patch available — pin to a pre-vulnerability commit or replace with a hardened fork.

  6. Consider running the API server in a minimal container with read-only filesystem mounts outside the workflow directory.

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable Yes
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Auth Bypass Code Execution Agent Framework API AML.T0025 AML.T0037 AML.T0049 AML.T0055 AML.T0083

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.6 - Cybersecurity for AI systems
NIST AI RMF
MANAGE-2.2 - Mechanisms to sustain value and manage risks of deployed AI systems
OWASP LLM Top 10
LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2025-55526?

A critical unauthenticated directory traversal (CVSS 9.1) in n8n-workflows allows any remote attacker to read and overwrite arbitrary server files — no credentials, no user interaction required. If your AI automation stack runs this component exposed to any network, treat this as immediate compromise risk: workflow files routinely contain API keys, LLM provider tokens, and database credentials. Isolate the service behind a VPN or firewall now; no patch exists yet.

Is CVE-2025-55526 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-55526, increasing the risk of exploitation.

How to fix CVE-2025-55526?

1. IMMEDIATE: Restrict network access to the n8n-workflows API server — place behind VPN, firewall, or internal-only network. Block public exposure of port 8000/8080 (uvicorn default). 2. AUDIT: Check workflow configuration files and server logs for unexpected file access patterns (paths containing `../`, `%2e%2e`, or absolute paths). 3. ROTATE: Assume all secrets stored in workflow files on exposed instances are compromised — rotate API keys, DB credentials, webhook tokens. 4. MONITOR: Alert on HTTP requests to the download_workflow endpoint containing traversal sequences. 5. No official patch available — pin to a pre-vulnerability commit or replace with a hardened fork. 6. Consider running the API server in a minimal container with read-only filesystem mounts outside the workflow directory.

What systems are affected by CVE-2025-55526?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI orchestration pipelines, workflow automation, LLM integration layers, API gateway / backend services.

What is the CVSS score for CVE-2025-55526?

CVE-2025-55526 has a CVSS v3.1 base score of 9.1 (CRITICAL). The EPSS exploitation probability is 0.76%.

What is the AI security impact?

Affected AI Architectures

agent frameworksAI orchestration pipelinesworkflow automationLLM integration layersAPI gateway / backend services

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means
AML.T0037 Data from Local System
AML.T0049 Exploit Public-Facing Application
AML.T0055 Unsecured Credentials
AML.T0083 Credentials from AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2.6
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

n8n-workflows Main Commit ee25413 allows attackers to execute a directory traversal via the download_workflow function within api_server.py

Exploitation Scenario

An adversary targeting an organization's AI automation infrastructure scans for exposed n8n-workflows API servers. They send a crafted GET request: `GET /download_workflow?file=../../../../etc/environment` — the `download_workflow` function in `api_server.py` passes the unsanitized parameter directly to a file read operation, returning the server's environment file. The attacker iterates through known paths: `.env`, `config.json`, workflow JSON files — harvesting LLM provider API keys, Slack tokens, and database URIs. With integrity impact (I:H), the attacker then writes a malicious workflow definition that executes on the next scheduled run, establishing persistence inside the AI agent's execution context and potentially pivoting to connected services.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

  • [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
  • [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

Timeline

Published
August 26, 2025
Last Modified
September 15, 2025
First Seen
August 26, 2025

Related Vulnerabilities

CRITICAL CVE-2026-33663 10.0

n8n: member role steals plaintext HTTP credentials

Same package: n8n
CRITICAL CVE-2026-33660 10.0

TensorFlow: type confusion NPD in tensor conversion

Same package: n8n
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same package: n8n
CRITICAL CVE-2026-27577 9.9

n8n: Code Injection enables RCE

Same package: n8n
CRITICAL CVE-2026-27494 9.9

n8n: security flaw enables exploitation

Same package: n8n
Back to Threat Feed