This module chains two vulnerabilities in n8n to achieve unauthenticated remote code execution. The module abuses a vulnerable unauthenticated form endpoint to read local files from the target system. That file read primitive is then used to recover the n8n home path, configuration data, and encryption key material. The module then reads the n8n SQLite database to extract administrator account data from the application datastore. With that information, it forges an authenticated administrator token and creates a malicious workflow through the n8n API. Finally, the crafted workflow is used to execute operating system commands and deploy an agent on the target. The deployed agent will run with the privileges of the n8n service account.
CVE Link
Exploit Platform
Exploit Type
Product Name