Skip to content
AI Security Wire

Published

- 5 min read

By

n8n CVSS 10 RCE and AI Workflow Platforms Face Systematic Targeting

img of n8n CVSS 10 RCE and AI Workflow Platforms Face Systematic Targeting

AI workflow automation platforms are consolidating as a priority attack surface. Three separate disclosures this week confirm that threat actors are treating n8n, Langflow, and GitHub Copilot not as peripheral tooling but as infrastructure worth targeting in their own right. The common thread is the same in all three cases: these platforms handle credentials, execute code, and operate with elevated trust relationships that make them high-value targets with outsized downstream impact.

n8n CVE-2026-21858: CVSS 10 Unauthenticated RCE

CVE-2026-21858 is a critical unauthenticated remote code execution vulnerability in n8n, the open-source workflow automation platform used across enterprise environments to connect APIs, databases, and internal services. The flaw carries a CVSS score of 10.0 — the maximum — and requires no authentication to exploit. An attacker with network access to an n8n instance can achieve full code execution on the server without credentials, without prior access, and without any user interaction.

The impact extends well beyond the n8n server itself. n8n’s core function is to store and use credentials for dozens of connected services. A typical enterprise n8n deployment manages OAuth tokens for SaaS platforms, API keys for internal and external services, database connection strings, and webhook endpoints. Code execution on the n8n server gives an attacker access to all of these simultaneously.

Self-hosted n8n instances with external exposure are the highest-risk population. Cloud-hosted n8n deployments where the vendor manages the underlying infrastructure are less directly affected, but organisations should verify their deployment model and confirm they are running the patched release. n8n has published a fix; update priority should reflect the CVSS 10.0 rating and the credential aggregation risk.

Langflow CVE-2026-55255 Enters CISA KEV

CISA added CVE-2026-55255 to its Known Exploited Vulnerabilities catalog as part of the July 7–9 batch. The vulnerability is an insecure direct object reference in Langflow that enables unauthorised access to objects including credentials. CVSS score is 6.1, lower than n8n’s critical rating but significant for what the KEV addition represents.

This is Langflow’s second KEV entry. CVE-2026-33017 (unauthenticated RCE) entered the catalog in an earlier batch this year. The pattern of multiple KEV entries over a short window indicates sustained active exploitation of Langflow’s attack surface — not opportunistic scanning but targeted campaigns where Langflow access is the operational objective.

The CVE-2026-55255 IDOR creates a credential theft path that is distinct from the prior RCE entries. Attackers can access objects they are not authorised to see without requiring the full code execution path. For organisations running Langflow as production AI pipeline infrastructure, this broadens the exploitation scenarios to include targeted credential harvesting without the visibility that a full compromise would typically generate.

Langflow users should apply the current release and audit which credentials are stored in the application. CISA’s federal patch deadline for this KEV batch was July 10.

GitHub Copilot CVE-2025-53773: Prompt Injection to Shell

CVE-2025-53773 documents a prompt injection vulnerability in GitHub Copilot’s Model Context Protocol integration rated CVSS 9.6. MCP allows Copilot to call external tools and services; the vulnerability enables an attacker to inject instructions through content that Copilot processes — malicious repository files, poisoned MCP tool descriptions, or crafted code comments — that cause Copilot to execute arbitrary shell commands on the developer’s machine.

The attack surface is defined by what Copilot reads. In practice this includes any repository a developer opens, any MCP server their Copilot configuration connects to, and any third-party code brought into scope during a coding session. A malicious comment buried in a dependency, a compromised MCP server in a developer’s configuration, or a poisoned file in a repository under review can all serve as injection vectors.

The consequence is code execution in the context of the developer’s local session, which typically means access to their credentials, SSH keys, API tokens in environment files, and any services their machine is authenticated to reach. Copilot’s elevated trust relationship with the developer’s filesystem and shell makes prompt injection impact more severe than the same vulnerability in a web application context.

GitHub has issued an advisory for CVE-2025-53773. Copilot users should update to the patched version and audit their MCP server configurations to remove or review any third-party servers that process untrusted external content.

The Wider Pattern

These three disclosures share a structural characteristic. n8n, Langflow, and GitHub Copilot are all platforms that operate with broad credentials, execute actions on behalf of users, and are trusted by design to handle inputs from multiple sources. That combination — broad trust, external inputs, execution capability — is precisely what makes them valuable to threat actors.

The CISA KEV additions for Langflow confirm that exploitation is not hypothetical. The n8n CVSS 10.0 rating signals that the vendor and security community consider unpatched exposure a maximum-severity risk. The Copilot disclosure demonstrates that the prompt injection risk in developer AI tooling is being actively researched and will continue to surface new variants.

Organisations that have deployed any of these platforms should audit their exposure, confirm patching status, and review the credential access each platform holds as a prerequisite for assessing blast radius if exploitation has already occurred.

References

Frequently Asked Questions

What is CVE-2026-21858 in n8n and how severe is it?
CVE-2026-21858 is an unauthenticated remote code execution vulnerability in n8n, the open-source workflow automation platform, carrying a CVSS score of 10.0. An attacker with network access to an n8n instance requires no credentials to achieve full code execution on the host. Because n8n instances frequently hold API keys and OAuth credentials for dozens of connected services, exploitation gives attackers immediate access to the entire integration ecosystem the workflow server manages.
Why has Langflow been added to CISA KEV again with CVE-2026-55255?
CVE-2026-55255 is an insecure direct object reference (IDOR) vulnerability in Langflow that enables unauthorised credential access. CISA added it to the Known Exploited Vulnerabilities catalog in the July 7–9 2026 batch, confirming active exploitation. This is Langflow's second KEV entry and marks the first time an AI agent platform has appeared in the catalog — signalling that threat actors are now systematically targeting AI workflow infrastructure rather than treating it as incidental.
What is the GitHub Copilot CVE-2025-53773 vulnerability and what can attackers do with it?
CVE-2025-53773 is a prompt injection vulnerability in GitHub Copilot's MCP (Model Context Protocol) integration, rated CVSS 9.6. An attacker who can influence content that Copilot processes — via a malicious repository, a poisoned MCP tool description, or crafted comments in code — can inject instructions that cause Copilot to execute arbitrary shell commands on the developer's machine. This converts any content-handling operation in Copilot into a potential code execution path.