Hi,
Our security team alerts me on potential security issues as node js version, app version and other information are publicly displayed in /rest/settings route.
Is there a way to hide them?
Attackers can easily use vulnerability templates (e.g., for bug bounty programs) to exploit this kind of data exposure.
main ← icarot:main
opened 12:47AM - 03 Sep 25 UTC
This nuclei template:
* Detects if path /rest/settings of N8n web application… is exposed, getting internal information. N8n is a Fair-code workflow automation platform with native AI capabilities.
- References:
https://github.com/n8n-io/n8n/
I've validated this template locally?
- [x] YES
- [ ] NO
**Steps to test:**
**N8n Docker:**
1. Running container:
`$ docker volume create n8n_data`
`$ docker run -it --rm --name n8n_container -p 5678:5678 -v n8n_data:/home/node/.n8n docker.n8n.io/n8nio/n8n`
2. Acessing the N8n service:
`$ docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' n8n_container`
And the access URL will be http://<obteined_inspect_IP_Address>:5678
**Nuclei execution:**
`$ ~/go/bin/nuclei -t n8n-config.yaml -u "http://<obteined_inspect_IP_Address>:5678/" -H "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36"`
<img width="1071" height="1073" alt="image" src="https://github.com/user-attachments/assets/c1f007a3-ed2d-4ead-9400-b26b1e0b9d36" />
<img width="1706" height="501" alt="image" src="https://github.com/user-attachments/assets/c18586e5-d2f5-4e8a-b961-79ec2dbbaafe" />
n8n version: latest Database (default: SQLite): postgres n8n EXECUTIONS_PROCESS setting (default: own, main): default Running n8n via (Docker, npm, n8n cloud, desktop app): docker Operating system: linux
barn4k
September 12, 2025, 12:32pm
2
hello @Anthony_Brebion
AFAIK, n8n team plans to hide that endpoint in the future release.
However, that endpoint doesn’t contain any sensitive info. Currently you can hide it with a path rule for your reverse proxy
Claudi
September 24, 2025, 2:23pm
3
How can I do that? I have the same issue here. If I setup after a proxy-manager and doploy the docker the n8n_proxy_hops has to have the value 1?
barn4k
September 24, 2025, 2:32pm
4
It’s a simple path rule with something like:
path condition: /rest/settings
action: block
The exact configuration depends on the reverse proxy / ALB that you are using
Claudi
September 24, 2025, 3:44pm
5
Thanks I will try it. Now I have to deploy all the system again to run after the proxy-manager.
system
December 23, 2025, 3:44pm
6
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.