CVE-2025-55526 — CRITICAL (CVSS 9.1) AI Security Vulnerability

CISO Take

A critical unauthenticated directory traversal (CVSS 9.1) in n8n-workflows allows any remote attacker to read and overwrite arbitrary server files — no credentials, no user interaction required. If your AI automation stack runs this component exposed to any network, treat this as immediate compromise risk: workflow files routinely contain API keys, LLM provider tokens, and database credentials. Isolate the service behind a VPN or firewall now; no patch exists yet.

Risk Assessment

Extremely high exploitability: network-accessible, low complexity, zero authentication, zero user interaction (AV:N/AC:L/PR:N/UI:N). High confidentiality AND integrity impact means attackers can both exfiltrate sensitive data and tamper with workflow configurations. n8n-workflows is commonly internet-exposed in automation and AI agent deployments, making this broadly exploitable by unsophisticated threat actors. No patch or fixed version is currently available, extending the exposure window.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
fastapi	npm	—	No patch
186.5K OpenSSF 6.0 16 dependents Pushed 6d ago 40% patched ~3d to patch Full package profile →
pydantic	npm	—	No patch
186.5K OpenSSF 6.0 16 dependents Pushed 6d ago 40% patched ~3d to patch Full package profile →
uvicorn	npm	—	No patch
186.5K OpenSSF 6.0 16 dependents Pushed 6d ago 40% patched ~3d to patch Full package profile →

Severity & Risk

CVSS 3.1

9.1 / 10

EPSS

0.6%

chance of exploitation in 30 days

Higher than 70% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A None

Recommended Action

6 steps

IMMEDIATE

Restrict network access to the n8n-workflows API server — place behind VPN, firewall, or internal-only network. Block public exposure of port 8000/8080 (uvicorn default).
AUDIT

Check workflow configuration files and server logs for unexpected file access patterns (paths containing ../, %2e%2e, or absolute paths).
ROTATE

Assume all secrets stored in workflow files on exposed instances are compromised — rotate API keys, DB credentials, webhook tokens.
MONITOR

Alert on HTTP requests to the download_workflow endpoint containing traversal sequences.
No official patch available — pin to a pre-vulnerability commit or replace with a hardened fork.
Consider running the API server in a minimal container with read-only filesystem mounts outside the workflow directory.

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Auth Bypass Code Execution Agent Framework API AML.T0025 - Exfiltration via Cyber Means AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0083 - Credentials from AI Agent Configuration

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - Cybersecurity for AI systems

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain value and manage risks of deployed AI systems

OWASP LLM Top 10

LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2025-55526?

A critical unauthenticated directory traversal (CVSS 9.1) in n8n-workflows allows any remote attacker to read and overwrite arbitrary server files — no credentials, no user interaction required. If your AI automation stack runs this component exposed to any network, treat this as immediate compromise risk: workflow files routinely contain API keys, LLM provider tokens, and database credentials. Isolate the service behind a VPN or firewall now; no patch exists yet.

Is CVE-2025-55526 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-55526, increasing the risk of exploitation.

How to fix CVE-2025-55526?

1. IMMEDIATE: Restrict network access to the n8n-workflows API server — place behind VPN, firewall, or internal-only network. Block public exposure of port 8000/8080 (uvicorn default). 2. AUDIT: Check workflow configuration files and server logs for unexpected file access patterns (paths containing `../`, `%2e%2e`, or absolute paths). 3. ROTATE: Assume all secrets stored in workflow files on exposed instances are compromised — rotate API keys, DB credentials, webhook tokens. 4. MONITOR: Alert on HTTP requests to the download_workflow endpoint containing traversal sequences. 5. No official patch available — pin to a pre-vulnerability commit or replace with a hardened fork. 6. Consider running the API server in a minimal container with read-only filesystem mounts outside the workflow directory.

What systems are affected by CVE-2025-55526?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI orchestration pipelines, workflow automation, LLM integration layers, API gateway / backend services.

What is the CVSS score for CVE-2025-55526?

CVE-2025-55526 has a CVSS v3.1 base score of 9.1 (CRITICAL). The EPSS exploitation probability is 0.63%.

Technical Details

NVD Description

n8n-workflows Main Commit ee25413 allows attackers to execute a directory traversal via the download_workflow function within api_server.py

Exploitation Scenario

An adversary targeting an organization's AI automation infrastructure scans for exposed n8n-workflows API servers. They send a crafted GET request: `GET /download_workflow?file=../../../../etc/environment` — the `download_workflow` function in `api_server.py` passes the unsanitized parameter directly to a file read operation, returning the server's environment file. The attacker iterates through known paths: `.env`, `config.json`, workflow JSON files — harvesting LLM provider API keys, Slack tokens, and database URIs. With integrity impact (I:H), the attacker then writes a malicious workflow definition that executes on the next scheduled run, establishing persistence inside the AI agent's execution context and potentially pivoting to connected services.