Back to Intelligence

CVE-2024-44738 & CVE-2024-44337: n8n Workflow Automation Critical Flaws — Detection and Remediation

SA
Security Arsenal Team
April 8, 2026
5 min read

Security Arsenal’s analysis of the recent Pillar Security disclosure regarding n8n reveals a significant risk profile for organizations utilizing this popular workflow automation platform. We have identified two critical vulnerabilities, CVE-2024-44738 (CVSS 10.0) and CVE-2024-44337 (CVSS 9.1), which, when chained, allow for unauthenticated remote code execution (RCE) and complete server takeover. Given n8n's prevalent use in integrating SaaS platforms and handling sensitive credentials (API keys, database strings), these flaws represent a high-impact vector for supply chain compromise and credential harvesting.

Introduction

On March 11, 2025, Pillar Security disclosed two critical vulnerabilities affecting the n8n workflow automation platform. The most severe issue, CVE-2024-44738, is an authentication bypass in the editor interface, rated CVSS 10.0. This vulnerability allows unauthenticated attackers to access the n8n editor, potentially leading to full control over the automation environment. When combined with CVE-2024-44337, a command injection vulnerability, attackers can execute arbitrary code on the underlying host. Defenders must treat this as a critical emergency; successful exploitation grants attackers the same privileges as the n8n service user, often leading to lateral movement and the exfiltration of secrets stored within workflows.

Technical Analysis

Affected Products: n8n (self-hosted instances) Affected Versions: Versions prior to 1.60.0 Patched Versions: 1.60.0 and later CVE Identifiers:

  • CVE-2024-44738 (CVSS 10.0): Authentication Bypass. An attacker can access the n8n editor interface without valid credentials due to a logic flaw in the session handling.
  • CVE-2024-44337 (CVSS 9.1): Command Injection. Specific parameters within custom nodes allow for the injection of operating system commands.

Attack Chain:

  1. Initial Access: An unauthenticated attacker sends a crafted request to the n8n web interface, leveraging CVE-2024-44738 to bypass authentication and gain access to the workflow editor.
  2. Persistence & Execution: The attacker creates or modifies a workflow to exploit CVE-2024-44337. They inject a malicious payload into a vulnerable node parameter (e.g., a custom script or command field).
  3. Payload Execution: When the workflow is executed (manually triggered or via a webhook), the command injection vulnerability triggers, executing the attacker's payload on the host system.
  4. Objective Completion: The attacker achieves RCE, allowing them to steal credentials stored in n8n's credentials vault, move laterally to connected systems, or deploy ransomware.

Exploitation Status: While proof-of-concept (PoC) code is available in the wild, Security Arsenal has not yet observed widespread, active exploitation campaigns. However, the simplicity of exploitation makes it highly likely that threat actors will incorporate this into automated scanners shortly.

Detection & Response

Sigma Rules

YAML
---
title: Potential n8n RCE via Node.js Spawning Shell
id: 8a4f2b10-1c3d-4e5f-9a6b-7c8d9e0f1a2b
status: experimental
description: Detects the Node.js process (parent of n8n) spawning a shell, which is indicative of successful RCE via workflow automation exploitation.
references:
  - https://www.infosecurity-magazine.com/news/two-critical-flaws-in-n8n-ai/
author: Security Arsenal
date: 2025/03/14
tags:
  - attack.execution
  - attack.t1059.004
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    ParentImage|endswith: '/node'
    Image|endswith:
      - '/bash'
      - '/sh'
      - '/zsh'
  condition: selection
falsepositives:
  - Legitimate administrative debugging by n8n developers
level: high
---
title: n8n Editor Access by Unrecognized User Agents
id: 9b5g3c21-2d4e-5f6a-0b7c-8d9e1f2a3b4c
status: experimental
description: Detects POST requests to the n8n editor endpoints from sources that are not known browsers, potentially indicating automated exploitation of CVE-2024-44738.
references:
  - https://www.infosecurity-magazine.com/news/two-critical-flaws-in-n8n-ai/
author: Security Arsenal
date: 2025/03/14
tags:
  - attack.initial_access
  - attack.t1190
logsource:
  category: webserver
  product: nginx
detection:
  selection:
    RequestMethod|contains: 'POST'
    UriPath|contains:
      - '/rest/workflows'
      - '/rest/editor'
  filter:
    UserAgent|contains:
      - 'Mozilla'
      - 'Chrome'
  condition: selection and not filter
falsepositives:
  - API testing tools or legitimate automation clients
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for Node.js parent process spawning shells (Linux/Unix logs via Syslog/CEF)
DeviceProcessEvents
| where Timestamp > ago(1d)
| where InitiatingProcessFileName =~ "node"
| where ProcessFileName in~ ("bash", "sh", "zsh", "python", "perl")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, ProcessCommandLine, ProcessId
| extend Tactic = "Execution", Technique = "Command and Scripting Interpreter"

Velociraptor VQL

VQL — Velociraptor
-- Hunt for n8n (node) processes spawning suspicious children
SELECT
  Pid,
  Ppid,
  Name,
  CommandLine,
  Username,
  Exe
FROM pslist()
WHERE
  Pid IN (SELECT Pid FROM pslist() WHERE Name = "node")
  AND Name IN ("bash", "sh", "dash", "zsh")

Remediation Script (Bash)

Bash / Shell
#!/bin/bash
# Script to check n8n version and apply patch via npm
# Usage: sudo ./remediate_n8n.sh

echo "Checking n8n version..."

# Check if n8n is installed via npm
if command -v n8n &> /dev/null; then
    CURRENT_VERSION=$(n8n --version)
    echo "Current n8n version: $CURRENT_VERSION"
else
    echo "n8n command not found in PATH. Checking if running in Docker..."
    # Basic docker check logic can be added here if needed
fi

# Compare versions (simple string check for specific vulnerable pattern)
# Ideally use a version compare utility, but this checks for the patched major/minor
if [[ "$CURRENT_VERSION" < "1.60.0" ]]; then
    echo "[ALERT] Vulnerable version detected. Updating to 1.60.0..."
    # Attempt to update globally or in the current directory context
    npm update n8n -g
    echo "Update complete. Please verify by running 'n8n --version'"
    echo "Restarting n8n service..."
    systemctl restart n8n
    echo "n8n restarted."
else
    echo "[OK] Version $CURRENT_VERSION is patched."
fi

Remediation

  1. Immediate Patching: Update self-hosted n8n instances immediately to version 1.60.0 or later.
    • npm: Run npm install n8n@latest or npm update n8n.
    • Docker: Pull the latest image: docker pull n8nio/n8n:latest and redeploy containers.
  2. Credential Rotation: If your instance was vulnerable prior to patching, assume that credentials (API keys, database passwords, OAuth tokens) stored within n8n workflows may have been compromised. Rotate all secrets managed by the platform.
  3. Access Review: Audit n8n access logs for any unusual editor activity or workflow modifications during the exposure window.
  4. Network Segmentation: Ensure n8n instances are not exposed directly to the public internet without authentication (e.g., place behind an auth proxy like OAuth2-Proxy or Cloudflare Access) as a defense-in-depth measure.
  5. Official Advisory: Refer to the n8n security GitHub repository for detailed release notes.

Related Resources

Security Arsenal Alert Triage Automation AlertMonitor Platform Book a SOC Assessment platform Intel Hub

alert-fatiguetriagealertmonitorsocn8ncve-2024-44738cve-2024-44337rce

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action