AI Sec Watch

n8n's Source Control feature, when configured to use SSH (a secure network protocol), disabled host key verification, meaning it didn't confirm the identity of the Git server it was connecting to. An attacker on the network could trick n8n into connecting to a fake server and inject malicious code into workflows or steal repository data.

n8n, a workflow automation tool, had a security flaw where authenticated users without permission could bypass authorization checks and access plaintext values of external secrets (credentials stored in connected vaults) by guessing secret names. This vulnerability only affects instances with external vaults configured and requires the attacker to be a valid user who knows the target secret's name.

n8n versions with `N8N_SKIP_AUTH_ON_OAUTH_CALLBACK` set to true have an authorization bypass vulnerability where attackers can trick users into connecting their OAuth tokens (credentials used for third-party authentication) to attacker-controlled accounts, allowing the attacker to run workflows with those stolen credentials. This only affects instances where this setting is explicitly enabled, which is not the default configuration.

OpenTelemetry Java instrumentation versions before 2.26.1 have a vulnerability in RMI instrumentation where incoming data is deserialized without proper validation, allowing attackers with network access to potentially execute arbitrary code on the affected system. The attack requires three conditions: OpenTelemetry must be running as a Java agent, an RMI endpoint (remote method invocation, a Java system for calling methods on remote servers) must be accessible over the network, and a gadget-chain-compatible library (a collection of existing code that can be chained together to execute unintended commands) must be present.

Datasette-llm 0.1a1 is a new plugin that lets other Datasette plugins use AI models by creating a central way to manage which models are used for which tasks. It introduces a register_llm_purposes() hook (a function that other plugins can use to register what they do) and allows plugins to request a specific model by its purpose, like asking for "the model designated for data enrichment" rather than hardcoding a model name.

Streamlit Open Source versions before 1.54.0 on Windows have an unauthenticated SSRF vulnerability (server-side request forgery, where an attacker tricks a server into making unintended network requests) in how it handles file paths. An attacker can supply a malicious UNC path (a Windows network address like \\attacker-host\share) that causes the Streamlit server to initiate SMB connections (the protocol Windows uses for file sharing) and leak NTLMv2 credential hashes (authentication proof) of the user running Streamlit, which could then be used in relay attacks or password cracking.

n8n (a workflow automation platform) had a security flaw where LDAP authentication (a directory service for user identity management) would automatically link an LDAP user account to an existing local account if their email addresses matched. An attacker could change their LDAP email to match an administrator's email and gain full access to that account, with the unauthorized access persisting even after the email was changed back. This only affects n8n instances that have LDAP authentication specifically enabled.

n8n Community Edition has a security flaw where authenticated users with basic permissions can steal plaintext secrets from other users' HTTP credentials (like basic auth or header auth) by exploiting flaws in how credentials are looked up and validated. This happens because the system doesn't properly check who owns a credential and skips security checks for generic HTTP credential types, though this only affects Community Edition and not the paid Enterprise version.

n8n, a workflow automation tool, has a security flaw in its Merge node's SQL mode that allows authenticated users to read files from the server and execute arbitrary code (remote code execution, where an attacker can run commands on a system they don't own). The vulnerability exists because the AlaSQL sandbox (a restricted environment meant to safely run SQL code) did not properly block certain dangerous SQL statements.