Critical Zero-Click Flaw in n8n Allows Full Server Compromise
The critical vulnerability affecting both cloud and self-hosted n8n instances requires no authentication or even n8n account to be exploited
Zero-click attacks exploit flaws without user interaction, enabling compromise through messages or files; prompt patching and exposure reduction limit risk.
Search across headline titles and summaries.
Background for this topic.
Zero-click describes an exploit that can be triggered without the victim tapping a link, opening a file, or otherwise interacting. Attackers send specially crafted data to software that processes content automatically, such as messaging, calling, email, browser, media, or wireless components. A flaw in a parser or processing service may enable code execution, privilege escalation, or information disclosure, although a zero-click vulnerability is not necessarily remotely exploitable or capable of taking full control.
These attacks matter because they can compromise a device with little visible user activity, making prevention and attribution harder; spyware and unauthorized data access are possible outcomes. Prioritize rapid patching of exposed operating systems, applications, and firmware, and reduce attack surface by disabling unnecessary services or automatic processing where practical. Use least privilege and device isolation to limit impact. Monitoring for unexplained crashes, abnormal processes, or unexpected network connections can support detection, while suspected exploitation should trigger preservation of relevant logs and focused investigation.
Weekly headline count for the current query.
The critical vulnerability affecting both cloud and self-hosted n8n instances requires no authentication or even n8n account to be exploited
Ox Security warns that Mail2Shell could enable threat actors to hijack FreeScout systems without user interaction
Security researchers from LayerX identified a new flaw in 50 Claude Desktop Extensions that could lead to unauthorized remote code execution
Researchers at Radware discovered new prompt injection attacks in ChatGPT agentic features
Researchers at Radware found a zero-click flaw in ChatGPT Deep Research agent when connected to Gmail and browsing
WhatsApp has fixed a zero-day vulnerability linked to a sophisticated cyber-attack
The Pwn2Own competition is offering a $1m reward to any teams able to unearth a WhatsApp code execution exploit
Researchers have found a flaw in Microsoft 365 Copilot that allows the exfiltration of sensitive corporate data with a simple email
For trusted senders, the flaw is zero-click, but requires one-click interactions for untrusted ones
Fallout from Operation Triangulation continues
Possible US campaign began in 2019
Researchers say exploit is delivered via iCloud calendar invitation