How did attackers exploit n8n in these phishing campaigns?

Attackers created malicious webhooks on n8n's platform to send automated phishing emails, delivering malware or performing device fingerprinting by leveraging n8n's trusted infrastructure.

What measures can organizations take to prevent such abuses?

Organizations should scrutinize third-party integrations, enhance monitoring of automated workflows, and implement strict security controls to prevent exploitation of automation platforms.

n8n Webhooks Exploited in Phishing Campaigns Since October 2025

Discover how threat actors have been abusing n8n's webhooks to conduct sophisticated phishing campaigns, delivering malware and performing device fingerprinting since October 2025.

Published: April 15, 2026

Share this on:

Executive Summary

In October 2025, threat actors began exploiting n8n, a widely-used AI workflow automation platform, to conduct sophisticated phishing campaigns. By creating malicious webhooks on n8n's trusted infrastructure, attackers were able to bypass traditional security filters and deliver malware or perform device fingerprinting through automated emails. This abuse allowed them to distribute malicious payloads and gather sensitive information from targeted devices. (thehackernews.com)

The exploitation of legitimate automation platforms like n8n underscores a growing trend where attackers leverage trusted services to evade detection. This incident highlights the need for organizations to scrutinize third-party integrations and enhance monitoring of automated workflows to prevent similar abuses. (blog.talosintelligence.com)

Why This Matters Now

The increasing abuse of legitimate platforms like n8n for malicious purposes demonstrates the evolving tactics of cybercriminals. Organizations must proactively assess and secure their automation tools to prevent exploitation and protect sensitive data. (blog.talosintelligence.com)

Attack Path Analysis

Attackers exploited n8n webhooks to send phishing emails, leading to credential theft. With stolen credentials, they escalated privileges within cloud environments. They moved laterally across services, establishing command and control channels. Sensitive data was exfiltrated, culminating in operational disruption.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

Mediuminferred

Lateral Movement

Mediuminferred

Command & Control

Mediuminferred

Exfiltration

Mediuminferred

Impact

Mediuminferred

Initial Compromise

Description

Attackers exploited n8n webhooks to send phishing emails, leading to credential theft.

Confidence:

High

Related CVEs

Included CVEs with severity scores, affected products, exploit status, and reference links.

CVE-2026-21858
CVSS 10
An unauthenticated remote code execution vulnerability in n8n's webhook request handling allows attackers to execute arbitrary commands on the host server.
Affected Products:
n8n n8n – 1.65.0 to before 1.121.0
Exploit Status:
exploited in the wild
References:
https://nvd.nist.gov/vuln/detail/CVE-2026-21858 https://www.upwind.io/feed/cve-2026-21858-n8n-unauthenticated-rce https://www.cyber.gc.ca/en/alerts-advisories/al26-001-vulnerabilities-affecting-n8n-cve-2026-21858-cve-2026-21877-cve-2025-68613
CVE-2026-21894
CVSS 6.5
An authentication bypass in n8n's Stripe Trigger node allows unauthenticated parties to trigger workflows by sending forged Stripe webhook events.
Affected Products:
n8n n8n – 0.150.0 to before 2.2.2
Exploit Status:
proof of concept
References:
https://nvd.nist.gov/vuln/detail/CVE-2026-21894 https://vulert.com/vuln-db/CVE-2026-21894

MITRE ATT&CK® Techniques

Initial Access

T1566.002

Phishing: Spearphishing Link

Resource Development

T1584

Compromise Infrastructure

Reconnaissance

T1598.003

Phishing for Information: Spearphishing Link

Defense Evasion

T1665

Hide Infrastructure

Reconnaissance

T1656

Impersonation

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties.

Control ID: 6.4.3

The abuse of n8n webhooks to deliver malware via phishing emails indicates a failure in monitoring and controlling the use of webhooks, which can be exploited to bypass security measures.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The incident highlights the need for comprehensive cybersecurity policies that address the use and monitoring of third-party services like n8n to prevent their exploitation in phishing campaigns.

DORA – ICT Risk Management Framework

Control ID: Article 5

The exploitation of n8n webhooks underscores the necessity for financial entities to implement robust ICT risk management frameworks that include the assessment and monitoring of third-party services to prevent their misuse.

CISA ZTMM 2.0 – Asset Management

Control ID: 3.1

The incident demonstrates the importance of maintaining an accurate inventory of assets, including third-party services like n8n, to ensure they are properly secured and monitored within a zero trust architecture.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The abuse of n8n webhooks for malicious purposes indicates a need for enhanced cybersecurity risk management measures, including the assessment and monitoring of third-party services to prevent their exploitation.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Information Technology/IT

AI workflow automation platforms like n8n create critical vulnerabilities for IT infrastructure, enabling attackers to bypass security filters through trusted automation services.

Financial Services

Phishing campaigns leveraging trusted AI platforms pose severe risks to financial institutions, potentially compromising sensitive customer data and regulatory compliance requirements.

Health Care / Life Sciences

Healthcare organizations using workflow automation face increased phishing threats that could compromise patient data and violate HIPAA compliance through encrypted traffic vulnerabilities.

Computer Software/Engineering

Software companies integrating AI workflow tools become prime targets for sophisticated phishing attacks that exploit automation platforms to deliver malicious payloads.

Sources

n8n Webhooks Abused Since October 2025 to Deliver Malware via Phishing Emailshttps://thehackernews.com/2026/04/n8n-webhooks-abused-since-october-2025.html
Verified

CVE-2026-21858: Unauthenticated RCE in n8n Webhookshttps://www.upwind.io/feed/cve-2026-21858-n8n-unauthenticated-rce

Verified

AL26-001 – Vulnerabilities affecting n8n – CVE-2026-21858, CVE-2026-21877 and CVE-2025-68613https://www.cyber.gc.ca/en/alerts-advisories/al26-001-vulnerabilities-affecting-n8n-cve-2026-21858-cve-2026-21877-cve-2025-68613

Verified

Frequently Asked Questions

n8n is an open-source workflow automation platform that allows users to connect various web applications, APIs, and AI model services to automate tasks and data synchronization.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to escalate privileges, move laterally, and exfiltrate data within the cloud environment.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: While Aviatrix Zero Trust CNSF may not prevent initial credential theft via phishing, it could limit the attacker's subsequent actions within the cloud environment.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: Aviatrix Zero Trust Segmentation would likely constrain the attacker's ability to escalate privileges by enforcing strict access controls and limiting lateral movement.

Lateral Movement

Control: East-West Traffic Security

Mitigation: Aviatrix East-West Traffic Security would likely limit the attacker's lateral movement by enforcing segmentation and monitoring internal traffic.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: Aviatrix Multicloud Visibility & Control would likely constrain the establishment of command and control channels by monitoring and controlling outbound communications.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: Aviatrix Egress Security & Policy Enforcement would likely limit data exfiltration by controlling and monitoring outbound data flows.

Impact (Mitigations)

Aviatrix Zero Trust CNSF would likely reduce the operational impact by limiting the attacker's ability to access and exfiltrate sensitive data.

Impact at a Glance

Affected Business Functions

Email Communications
Workflow Automation

Operational Disruption

Estimated downtime: 7 days

Financial Impact

Estimated loss: $50,000

Data Exposure

Potential exposure of sensitive workflow data and credentials stored within n8n instances.

Recommended Actions

• Implement Zero Trust Segmentation to restrict lateral movement within cloud environments.
• Deploy Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
• Utilize Multicloud Visibility & Control to detect and respond to anomalous activities across cloud services.
• Enforce East-West Traffic Security to monitor internal communications and detect unauthorized movements.
• Apply Inline IPS (Suricata) to identify and block known exploit patterns and malicious payloads.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

n8n Webhooks Exploited in Phishing Campaigns Since October 2025

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

Related CVEs

CVE-2026-21858

Affected Products:

Exploit Status:

References:

CVE-2026-21894

Affected Products:

Exploit Status:

References:

MITRE ATT&CK® Techniques

Phishing: Spearphishing Link

Compromise Infrastructure

Phishing for Information: Spearphishing Link

Hide Infrastructure

Impersonation

Potential Compliance Exposure

PCI DSS 4.0 – Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Asset Management

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Information Technology/IT

Financial Services

Health Care / Life Sciences

Computer Software/Engineering

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads