Reason for unauthenticated endpoints exposing setup information

Questions
1

Describe the problem/error/question

Hi team,

We’ve deployed n8n as a self-hosted solution with a business license on EKS. During security scanning, our team identified several unauthenticated endpoints. I’ve consulted the documentation and AI assistant but found no specific information about these endpoints.

Questions:

  1. Why are these endpoints unauthenticated?

  2. If unintentional, are there plans to add authentication middleware?

  3. Would network-level blocking of these endpoints break n8n functionality?

  4. Is there a method to enumerate all unprotected endpoints?

Identified endpoints:

  • /rest/settings

  • /rest/module-settings

  • /rest/sso/saml/initsso?redirect=%2F

  • /rest/source-control/preferences

  • /rest/roles

  • /types/nodes.json

  • /rest/config.js

Thanks for your assistance.

What is the error message (if any)?

N/A

Please share your workflow

N/A

Share the output returned by the last node

N/A

Information on your n8n setup

  • n8n version: 1.106.3
  • Database (default: SQLite): postgress
  • n8n EXECUTIONS_PROCESS setting (default: own, main): queue
  • Running n8n via (Docker, npm, n8n cloud, desktop app): self-host in EKS
  • Operating system: N/A
1 Like
2

Any Updates on this?

3

Only these endpoints are public -in my case-, probably for a reason..
However, it would definitely feel more secure if they all required authentication.

4

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.