Pillar Security, an AI security firm, has revealed critical sandbox escape vulnerabilities in n8n, an open-source workflow automation platform, enabling authenticated users to achieve full server control and access sensitive credentials across self-hosted and cloud deployments. These vulnerabilities, assigned a maximum CVSS score of 10.0 (Critical), significantly impact enterprise AI infrastructure where n8n orchestrates agentic workflows and LLM-powered applications.

Pillar Security identified that any authenticated user could exploit these flaws to execute arbitrary system commands, leading to the theft of every stored credential, API key, and secret. This includes critical AI API keys, vector database credentials, and proprietary prompts, which are particularly concerning for organizations deploying AI at scale.

Eilon Cohen, AI Security Researcher at Pillar Security, stated, “What makes these vulnerabilities particularly dangerous is the combination of ease of exploitation and the high-value targets they expose. If you can create a workflow in n8n, you can own the server. For attackers, this means access to OpenAI keys, Anthropic credentials, AWS accounts, and the ability to intercept or modify AI interactions in real-time – all while the workflows continue functioning normally.”The key findings from the research include a maximum CVSS 10.0 Critical score (Advisory: GHSA-6cqr-8cfr-67f8) and trivial exploitation methods requiring no special privileges. The vulnerabilities exposed complete credential exposure by granting access to the N8N_ENCRYPTION_KEY, allowing decryption of all stored credentials. This also enables AI pipeline hijacking, where attackers can intercept prompts, modify AI responses, redirect traffic, and exfiltrate sensitive data. For multi-tenant n8n Cloud environments, a single compromised user could potentially access shared infrastructure and other customers’ data within the Kubernetes cluster. Notably, a second vulnerability was discovered just 24 hours after the initial patch, bypassing the first fix.

The vulnerabilities affect all n8n users prior to version 2.4.0. This includes self-hosted deployments, where complete server compromise and access to environment variables and connected systems are possible, and n8n Cloud users, who face multi-tenant environment risks. AI-first organizations using n8n for AI orchestration are at heightened risk of exposure for credentials related to OpenAI, Anthropic, Azure OpenAI, Hugging Face, and vector databases such as Pinecone, Weaviate, and Qdrant.

Identified attack scenarios included credential harvesting, AI man-in-the-middle attacks, workflow poisoning through data exfiltration injection, supply chain compromise via malicious workflow templates, and lateral movement into connected cloud providers’ environments using stolen credentials.

Pillar Security recommends immediate mitigation actions: upgrading to n8n version 2.4.0 or later, rotating the n8n encryption key if an affected version was used, rotating all stored credentials due to potential compromise, auditing workflow execution logs for suspicious activity, and monitoring AI workflows for unusual patterns like base URL changes or modified prompts.

Following responsible disclosure practices, Pillar Security reported both vulnerabilities to n8n, which provided rapid patches during the holiday season, releasing version 2.4.0 with fixes in January 2026.

Pillar Security is an AI security platform offering visibility and control for secure AI systems. The company, founded by cybersecurity experts, secures the entire AI lifecycle through AI Discovery, AI Security Posture Management (AI-SPM), AI Red Teaming, and Adaptive Runtime Guardrails. Its platform aims to prevent data leakage, neutralize AI-specific threats, and ensure compliance with regulations, serving global enterprises by analyzing millions of prompts and scanning thousands of code repositories monthly. The platform leverages insights from real-world threat intelligence and advanced adversarial research.