Sign in / up

back to article Maximum-severity n8n flaw lets randos run your automation server

A maximum-severity bug in the popular automation platform n8n has left an estimated 100,000 servers wide open to complete takeover, courtesy of a flaw so bad it doesn't even require logging in. The vulnerability, uncovered by researchers at security outfit Cyera, carries a CVSS score of 10.0 and has been dubbed "ni8mare" for …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. SVD_NL Silver badge

    Good lord...

    "Let's authenticate this one product running LLMs and accepting user input/commands to every single software product in our environment with highly privileged permissions!"

    Am i the only one seeing the issue here?

    15 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Good lord...

      imo n8n transparently describes itself to be vulnerability-as-a-service so the announcement seems on-brand.

      10 0 Reply
      1. Doctor Syntax Silver badge
        Reply Icon

        Re: Good lord...

        The more you dig into it...

        Npm, Javascript, DevOps, Low-code/No-code building. No, nothing to go wrong there.

        They have what's termed a SOC 3 report on security. AIUI what this says is that N8N makes assertions about what it does and the auditor confirms that N8N makes its assertions. There seems to be no audit on the product, just an audit on the paperwork.

        10 1 Reply
  2. Anonymous Coward
    Anonymous Coward

    popular automation platform

    Never heard of it

    17 0 Reply
  3. Anonymous Coward
    Anonymous Coward

    Not a flaw

    > lets randos run your automation server

    But an opportunity to streamline the headcount.

    6 0 Reply
  4. m4r35n357 Silver badge

    Am I doing something wrong?

    I run a home "server", which is accessed by various client machines using key-based SSH.

    That "server" does NOT have any access to the clients; do I need to fix it?

    1 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Am I doing something wrong?

      > do I need to fix it?

      It can be improved.

      I run mine on a Linux 1.6 kernel over telnet with a passwordless root account. Hackers assume it's a honeypot and stay away from it.

      17 0 Reply
      1. John_Ericsson
        Reply Icon

        Re: Am I doing something wrong?

        If it is not already done, can I suggest you name the server "bitcoin".

        7 0 Reply
  5. TimMaher Silver badge
    Coat

    Randos

    I misread that as Nandos.

    Sounds like they may do a better job.

    3 0 Reply
    1. SVD_NL Silver badge
      Reply Icon

      Re: Nandos

      RCE - Remote Chicken Enhancement

      6 0 Reply
  6. harrys Bronze badge

    amazing application

    self hosted and used for automating internal workflows, and over overlay networks

    wouldnt dream off opening it to the great unwashed, madness!

    with great power comes great responsibility :)

    3 0 Reply
  7. Anonymous Coward
    Anonymous Coward

    Why ni8mare instead of n8mare? ni8mare is unnecessarily hard to say.

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon