n8n — agentic threat model

8.4AIVSS 8.4 · High

n8n presents a high agentic risk profile due to its combination of custom code execution (JS/Python), 350+ third-party integrations, and AI orchestration via LangChain. A compromise or successful prompt injection could lead to arbitrary code execution or unauthorized actions across a vast ecosystem of connected enterprise applications.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM

CVSS base 9.8AARS uplift 0.13Factor sum 6.1/10Threat ×1.1Mitigation ×0.85

Autonomy of Action		0.80
Goal-Driven Planning		0.70
Self-Modification		0.20
Dynamic Tool Use		0.90
Persistent Memory		0.60
Contextual Awareness		0.80
Dynamic Identity		0.50
Multi-Agent Interactions		0.50
Non-Determinism		0.60
Opacity & Reflexivity		0.50

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — n8n integrates with external foundation models via LangChain nodes, making it susceptible to upstream model vulnerabilities, adversarial prompt injection, and misaligned outputs depending on the chosen LLM provider.

L2 · Data Operations✓ mapped

Supports integration with vector databases for RAG. Threats include vector database poisoning, unauthorized data retrieval via prompt injection, and lack of fine-grained access control over retrieved context.

L3 · Agent Frameworks✓ mapped

Highly vulnerable to tool misuse and insecure tool integration due to 350+ integrations and custom JS/Python code execution nodes. LangChain orchestration can be manipulated via prompt injection to execute unintended workflows.

L4 · Deployment & Infrastructure✓ mapped

Self-hosting provides control but shifts infrastructure security to the user. Key threats include container escape via custom code execution (JS/Python nodes) and exposure of API keys/secrets stored within the workflow manager.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — n8n's native execution logging may capture workflow states, but dedicated AI evaluation, drift detection, and real-time LLM guardrails are not explicitly detailed in the provided features.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — While self-hosting allows users to enforce their own compliance and network boundaries, the listing does not specify built-in RBAC, enterprise identity federation, or compliance certifications.

L7 · Agent Ecosystem✓ mapped

High ecosystem risk due to the ability to share and import custom nodes, which could introduce malicious code or backdoors. Multi-agent coordination is possible via chained workflows, risking cascading failures.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).