GHSA-FVFV-PPW4-7H2W: n8n Guardrail Bypass: When AI Safety Rails Are Made of Paper

#security #cve #cybersecurity #ghsa

n8n Guardrail Bypass: When AI Safety Rails Are Made of Paper

Vulnerability ID: GHSA-FVFV-PPW4-7H2W
CVSS Score: 6.5
Published: 2026-02-26

A logic flaw in n8n's Guardrail node allows attackers to bypass AI safety checks using prompt injection. By exploiting weak delimiters and permissive schema validation, malicious inputs can coerce the underlying LLM into approving prohibited content.

TL;DR

The Guardrail node in n8n, designed to filter bad inputs using LLMs, failed to separate system instructions from user data properly. Attackers can use simple prompt injection techniques to override safety rules and force the node to return a 'safe' verdict. Fixed in version 2.10.0.

⚠️ Exploit Status: POC

Technical Details

CWE ID: CWE-20
Attack Vector: Network (Prompt Injection)
CVSS Score: 6.5 (Medium)
Impact: Security Control Bypass
Affected Component: Guardrail Node (LangChain)
Exploit Status: PoC Available

Affected Systems

n8n automation platform
n8n: < 2.10.0 (Fixed in: 2.10.0)

Code Analysis

Commit: 8d0251d

Fix guardrail prompt injection and harden schema validation

Mitigation Strategies

Upgrade n8n to version 2.10.0 or later immediately.
Implement strict schema validation (e.g., Zod's .strict()) for all LLM structured outputs.
Use specific token delimiters that are unlikely to appear in user input, or sanitize user input to remove delimiter sequences.

Remediation Steps:

Pull the latest docker image: docker pull n8n/n8n:latest
Restart your n8n container/service.
Audit any custom Guardrail prompts you have created to ensure they include instructions to ignore contradictory user input.