There should be an API call that returns the current running version of N8N. Probably plus some other info, like versions of custom npm and pip packages that are installed/available in the code module. Maybe add this info to the audit API?
Want to programmatically monitor when I need to upgrade my self-hosted cluster.
Staying up to date with feature and bug releases is important!
got my vote, the API needs more love 
If you wanted the version you could extract it from the /metrics endpoint if enabled or from /rest/settings which also gives you some more infomation on the settings you are using.
Wasn’t aware of the /metrics and /rest/settings endpoints. Thanks! It looks like /rest/endpoints does exactly what I want.
For /metrics, it would probably be helpful to have that output in JSON form, rather than as a text file that needs to be parsed.
Hey @Lee_S,
The /metrics endpoint is oddly in the correct format for its intended purpose, It is nomrally used with Prometheus for monitoring. Maybe a similar output in json could be useful for other monitoring tools though.
Can you put rest/settings end point under authorization? because actually is public…
Holy Cow! @Jon tagging you for visibility.
I’m not sure how an attacker would use the info they glean from that endpoint, but it certainly makes me nervous to know how easy it is for someone doing a vulnerability scan to gather info from our N8N instance.
they can retrive the end point and use it for ddos you, the can use the version of n8n for scouting vulnerabilities and more.
Much more simply, they could pretend to be an n8n technician who calls and knows your installation details well and steals your access credentials or similar information. Having your settings data and much more exposed is really dangerous.
Any suggestions on combating this issue?
its not an issue its an high risk just it
If you know the URL for an n8n instance that is really all you need if you were thinking about a ddos approach. The version is possibly the more useful bit of information from a recon view and with some effort you could potentially try calling someone.
We do have a ticket created to put this behind auth at some point in the future for now though if you are self hosting you could look to block access in a reverse proxy.