npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

n8n-security

v0.1.0

Published

Audit any self-hosted n8n instance for the misconfigurations that lead to takeover — the unauthenticated /rest/settings config+version leak, open owner-setup registration, exposed version vs known critical CVEs, and missing auth on the editor/REST API — a

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

renzom13renzom13

Keywords

n8nsecuritysecurity-auditauditorworkflow-automationself-hosteddevsecopscverceexposure-check

Readme

n8n-security

Audit any self-hosted n8n instance for the misconfigurations that lead to takeover — the unauthenticated /rest/settings config+version leak, open owner-setup registration, a running version exposed to known critical CVEs, and a missing auth wall on the editor/REST API — and prove each one live with an anonymous probe. Other checklists tell you what might be wrong; this fetches the bytes and shows you what is.

Run it in one line, no API key, no install:

npx n8n-security --url https://your-n8n.example.com

🤝 Want it done for you? Fixed-scope audit — $99 / 24h: I verify each finding live and send a written report with the exact config fixes.

npm downloads license node deps

$ npx n8n-security --url https://n8n.example.com
2 critical, 2 high, 0 medium — 5 CONFIRMED via anonymous probe (version 1.100.0)
  CRITICAL  version 1.100.0   affected by CVE-2026-21858 'Ni8mare' (CVSS 10.0, unauth RCE)
  CRITICAL  /setup            owner account unclaimed — anyone can take the instance
  HIGH      /rest/settings    version + full config leaked with no auth
  HIGH      /api/v1/workflows public REST API answers without an API key

Why this exists

n8n is one of the fastest-growing self-hosted apps (5,834+ community nodes), and huge numbers of instances end up directly on the internet — Censys counts 26,512 exposed n8n hosts. The fatal default: the editor port is reachable with no auth wall, and /rest/settings answers anyone with the exact running version and full instance config.

That keyless oracle makes the rest trivial. Q1 2026 alone brought a cluster of critical CVEs, including CVE-2026-21858 'Ni8mare' (CVSS 10.0, unauthenticated RCE) and CVE-2026-21877 (CVSS 10.0) — an attacker reads your version off /rest/settings and picks the matching exploit.

n8n-security checks for these and confirms the real ones by issuing the exact anonymous request an attacker would — so you triage facts, not maybes.

What it checks

| Check | Severity | How it's confirmed | |---|---|---| | /rest/settings config + version leak | high | anonymous GET /rest/settings returns 200 with versionCli + config | | Running version vs known critical CVEs | critical | disclosed version compared to fixed releases (CVE-2026-21858, CVE-2026-21877) | | Open owner-setup registration | critical | userManagement.showSetupOnFirstLoad === true → owner unclaimed | | No auth on editor / REST API | critical | REST API answers anonymously and user-management is off | | Public REST API without a key | high | GET /api/v1/workflows returns data with no X-N8N-API-KEY | | CORS reflects arbitrary Origin | high | sends a foreign Origin, sees it echoed in Access-Control-Allow-Origin |

Usage

# Probe a live instance
npx n8n-security --url https://n8n.example.com

# Write a shareable HTML report
npx n8n-security --url https://n8n.example.com --html report.html

# Static only (no requests sent)
npx n8n-security --url https://n8n.example.com --no-probe

Output is JSON on stdout (pipe it into CI) and a one-line summary on stderr. Exit is non-zero only on usage errors — gate your pipeline on the JSON summary.

Install (optional)

npm i -g n8n-security
n8n-security --url https://n8n.example.com

Zero dependencies. Your data and credentials never leave your machine — every request goes straight from the tool to your n8n instance.

Sister tools

Same active-probe philosophy for the rest of the backend stack, all MIT:

supabase-security · pocketbase-security · firebase-security · appwrite-security · nhost-security · strapi-security · directus-security · convex-security

License

MIT © Renzo Madueno