GHSA-3875-8gcx-7v46 — CRITICAL (CVSS 9.1)

Q: Is GHSA-3875-8gcx-7v46 actively exploited?

No confirmed active exploitation of GHSA-3875-8gcx-7v46 has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-3875-8gcx-7v46?

1) PATCH: Upgrade n8n to version 2.20.0 or later — the only full remediation. 2) RESTRICT: If immediate patching is not feasible, limit n8n access to fully trusted users only and revoke credential sharing with non-essential accounts. 3) NETWORK: Block access from the n8n server to cloud metadata addresses (169.254.169.254, fd00:ec2::254) and enforce egress allowlists at the network layer. 4) AUDIT: Review all stored credentials in n8n — rotate any that may have been exposed, especially LLM API keys and cloud IAM tokens. 5) DETECT: Monitor n8n server outbound HTTP traffic for anomalous destinations; alert on requests to RFC1918 ranges, IMDS endpoints, or hosts not in the declared Allowed HTTP Request Domains list. 6) LOG: Enable n8n audit logging and review POST requests to /rest/dynamic-node-parameters/options for unusual option endpoint URLs.

Q: What systems are affected by GHSA-3875-8gcx-7v46?

This vulnerability affects the following AI/ML architecture patterns: AI agent orchestration platforms, LLM API integration pipelines, RAG pipelines with n8n connectors, cloud-hosted AI infrastructure, MLOps workflow automation.

Q: What is the CVSS score for GHSA-3875-8gcx-7v46?

GHSA-3875-8gcx-7v46 has a CVSS v3.1 base score of 9.1 (CRITICAL).

CISO Take

n8n's workflow automation API allows any authenticated user with credential access to abuse the POST /rest/dynamic-node-parameters/options endpoint, forcing the server to issue HTTP requests to arbitrary hosts using stored credentials — completely bypassing the intended Allowed HTTP Request Domains safeguard. With a CVSS of 9.1 Critical and Scope:Changed, even a low-privilege account can pivot to cloud metadata endpoints (AWS IMDSv1, GCP, Azure IMDS), internal AI infrastructure, or any service reachable from the n8n host — using whatever API keys or tokens are stored in the platform. n8n is a popular AI agent orchestration layer frequently wired to OpenAI, Anthropic, vector databases, and cloud services, making its credential store a high-value target with a broad blast radius across connected AI pipelines. Patch to n8n 2.20.0 immediately; if upgrade is not possible, restrict platform access to fully trusted users only, audit all credential sharing, and block IMDS addresses at the network level.

Sources: GitHub Advisory ATLAS OpenSSF NVD

What is the risk?

Critical risk. CVSS 9.1 with Scope:Changed means a successful exploit crosses a security boundary — the n8n server itself becomes a proxy for attacker-directed requests. Privileges required is Low (any authenticated user), Attack Complexity is Low, and no User Interaction is needed, making this trivially weaponizable by any insider or compromised account. The platform's role as an AI workflow orchestrator means stored credentials routinely include LLM API keys, vector DB tokens, and cloud IAM credentials. No public exploit or KEV listing at time of analysis, but the exploitation pattern is well-understood and requires no specialized skill. The 85 historical CVEs in the same package and an OpenSSF Scorecard of 6.1/10 indicate a sustained security debt in this codebase.

Attack Kill Chain

Initial Access

Attacker authenticates to n8n with a low-privilege account — obtained via credential stuffing, phishing, or insider access — and identifies a shared credential (LLM API key, cloud IAM token) they have view access to.

AML.T0012

Exploitation

Attacker sends a crafted POST to /rest/dynamic-node-parameters/options with an arbitrary internal or cloud metadata URL as the options endpoint, bypassing the Allowed HTTP Request Domains restriction enforced by the application.

AML.T0049

Credential Harvest

The n8n server executes the SSRF request using the stored credential's context against the attacker-specified target (e.g., AWS IMDS at 169.254.169.254), returning IAM role tokens or other secrets in the API response.

AML.T0083

Impact

Attacker uses harvested cloud credentials to access AI infrastructure — S3 buckets with training data, model artifacts, or RAG document stores — or directly calls LLM provider APIs using exfiltrated keys for data theft or cost harvesting.

AML.T0086

Initial Access

Attacker authenticates to n8n with a low-privilege account — obtained via credential stuffing, phishing, or insider access — and identifies a shared credential (LLM API key, cloud IAM token) they have view access to.

AML.T0012

Exploitation

Attacker sends a crafted POST to /rest/dynamic-node-parameters/options with an arbitrary internal or cloud metadata URL as the options endpoint, bypassing the Allowed HTTP Request Domains restriction enforced by the application.

AML.T0049

Credential Harvest

The n8n server executes the SSRF request using the stored credential's context against the attacker-specified target (e.g., AWS IMDS at 169.254.169.254), returning IAM role tokens or other secrets in the API response.

AML.T0083

Impact

Attacker uses harvested cloud credentials to access AI infrastructure — S3 buckets with training data, model artifacts, or RAG document stores — or directly calls LLM provider APIs using exfiltrated keys for data theft or cost harvesting.

AML.T0086

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	< 2.20.0	`2.20.0`
188.2K OpenSSF 6.1 16 dependents Pushed 3d ago 45% patched ~3d to patch Full package profile →

Do you use n8n? You're affected.

Severity & Risk

CVSS 3.1

9.1 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR Low

UI None

S Changed

C High

I Low

A Low

What should I do?

1 step

1) PATCH: Upgrade n8n to version 2.20.0 or later — the only full remediation. 2) RESTRICT: If immediate patching is not feasible, limit n8n access to fully trusted users only and revoke credential sharing with non-essential accounts. 3) NETWORK: Block access from the n8n server to cloud metadata addresses (169.254.169.254, fd00:ec2::254) and enforce egress allowlists at the network layer. 4) AUDIT: Review all stored credentials in n8n — rotate any that may have been exposed, especially LLM API keys and cloud IAM tokens. 5) DETECT: Monitor n8n server outbound HTTP traffic for anomalous destinations; alert on requests to RFC1918 ranges, IMDS endpoints, or hosts not in the declared Allowed HTTP Request Domains list. 6) LOG: Enable n8n audit logging and review POST requests to /rest/dynamic-node-parameters/options for unusual option endpoint URLs.

Classification

Auth Bypass Data Extraction Privacy Violation Agent API Framework AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0083 - Credentials from AI Agent Configuration AML.T0086 - Exfiltration via AI Agent Tool Invocation

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity Art. 9 - Risk management system

ISO 42001

A.6.2 - AI system risk management A.8.4 - Access control for AI systems

NIST AI RMF

GOVERN 1.3 - Organizational teams are committed to governance and risk management MANAGE 2.4 - Risks and benefits of AI are continuously monitored

OWASP LLM Top 10

LLM06 - Excessive Agency

Frequently Asked Questions

What is GHSA-3875-8gcx-7v46?

n8n's workflow automation API allows any authenticated user with credential access to abuse the POST /rest/dynamic-node-parameters/options endpoint, forcing the server to issue HTTP requests to arbitrary hosts using stored credentials — completely bypassing the intended Allowed HTTP Request Domains safeguard. With a CVSS of 9.1 Critical and Scope:Changed, even a low-privilege account can pivot to cloud metadata endpoints (AWS IMDSv1, GCP, Azure IMDS), internal AI infrastructure, or any service reachable from the n8n host — using whatever API keys or tokens are stored in the platform. n8n is a popular AI agent orchestration layer frequently wired to OpenAI, Anthropic, vector databases, and cloud services, making its credential store a high-value target with a broad blast radius across connected AI pipelines. Patch to n8n 2.20.0 immediately; if upgrade is not possible, restrict platform access to fully trusted users only, audit all credential sharing, and block IMDS addresses at the network level.

Is GHSA-3875-8gcx-7v46 actively exploited?

No confirmed active exploitation of GHSA-3875-8gcx-7v46 has been reported, but organizations should still patch proactively.

How to fix GHSA-3875-8gcx-7v46?

1) PATCH: Upgrade n8n to version 2.20.0 or later — the only full remediation. 2) RESTRICT: If immediate patching is not feasible, limit n8n access to fully trusted users only and revoke credential sharing with non-essential accounts. 3) NETWORK: Block access from the n8n server to cloud metadata addresses (169.254.169.254, fd00:ec2::254) and enforce egress allowlists at the network layer. 4) AUDIT: Review all stored credentials in n8n — rotate any that may have been exposed, especially LLM API keys and cloud IAM tokens. 5) DETECT: Monitor n8n server outbound HTTP traffic for anomalous destinations; alert on requests to RFC1918 ranges, IMDS endpoints, or hosts not in the declared Allowed HTTP Request Domains list. 6) LOG: Enable n8n audit logging and review POST requests to /rest/dynamic-node-parameters/options for unusual option endpoint URLs.

What systems are affected by GHSA-3875-8gcx-7v46?

This vulnerability affects the following AI/ML architecture patterns: AI agent orchestration platforms, LLM API integration pipelines, RAG pipelines with n8n connectors, cloud-hosted AI infrastructure, MLOps workflow automation.

What is the CVSS score for GHSA-3875-8gcx-7v46?

GHSA-3875-8gcx-7v46 has a CVSS v3.1 base score of 9.1 (CRITICAL).

Technical Details

NVD Description

## Impact The `POST /rest/dynamic-node-parameters/options` endpoint allowed any authenticated user to cause the n8n server to issue HTTP requests including credentials bypassing the intended restrictions on which hosts could be contacted for that credential (Allowed HTTP Request Domains). The user needed to be authenticated and have access to the credential. ## Patches The issue has been fixed in n8n version 2.20.0. Users should upgrade to this version or later to remediate the vulnerability. ## Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Restrict n8n access to fully trusted users only. - Limit credential sharing to users who genuinely require access to those credentials. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Exploitation Scenario

An attacker with a low-privilege n8n account — obtained via phishing, credential stuffing, or insider access — identifies a shared credential (e.g., an OpenAI API key or AWS integration token) they have access to. They send a crafted POST to /rest/dynamic-node-parameters/options with the options endpoint URL set to http://169.254.169.254/latest/meta-data/iam/security-credentials/ (AWS IMDS). The n8n server, bypassing its own domain restriction, executes the outbound request and returns the response containing temporary IAM role credentials. The attacker uses these credentials to authenticate directly to AWS, accessing S3 buckets containing training data, model artifacts, or RAG document stores — or deploys further resources at the victim's expense. The entire chain requires only a valid n8n session and one HTTP request.