Hello.
I would like to start implementing a plugin to detect exposed n8n automation
instances where internal UI/REST API endpoints are accessible without
authentication.
The detector uses a multi-signal fingerprinting approach to confirm the
presence of n8n before testing REST API exposure. Fingerprinting is
performed using one or more of the following indicators:
- n8n web UI endpoints (e.g. /workflows or redirect behavior from /)
- Authentication UI (/signin)
- n8n-specific headers or frontend markers
Once n8n presence is confirmed, the detector checks for unauthenticated
access to internal REST endpoints such as /rest/workflows.
In all supported n8n versions, the /rest/* API is intended to be accessible
only to authenticated users. When exposed, attackers can enumerate,
modify, and execute workflows containing built-in command execution
nodes, which can lead to remote code execution on the host system.
This issue may affect:
- Legacy n8n deployments where authentication is disabled
- Modern n8n (1.x) deployments where reverse proxy or access control
misconfiguration exposes internal REST endpoints
Hello.
I would like to start implementing a plugin to detect exposed n8n automation
instances where internal UI/REST API endpoints are accessible without
authentication.
The detector uses a multi-signal fingerprinting approach to confirm the
presence of n8n before testing REST API exposure. Fingerprinting is
performed using one or more of the following indicators:
Once n8n presence is confirmed, the detector checks for unauthenticated
access to internal REST endpoints such as /rest/workflows.
In all supported n8n versions, the /rest/* API is intended to be accessible
only to authenticated users. When exposed, attackers can enumerate,
modify, and execute workflows containing built-in command execution
nodes, which can lead to remote code execution on the host system.
This issue may affect:
misconfiguration exposes internal REST endpoints