Post

Detecting Suspicious n8n Workflow Changes

Posted
By Nathan Berg
1 min read
Detecting Suspicious n8n Workflow Changes

n8n workflows are executable business logic. A small edit can add a new HTTP request, route data to a different destination, widen a credential’s use, or turn an enrichment workflow into an action workflow. Defenders need detections for suspicious workflow change, not just suspicious runtime behavior.

The best pattern is to treat workflow JSON like code and apply security review to the parts that change risk.

Context

Problem: Workflow edits can introduce new data paths and privileges without changing infrastructure. Approach: Export workflows, diff meaningful fields, and alert on high-risk change patterns. Outcome: Security teams can review automation drift before it becomes an incident.

High-risk change patterns

Prioritize changes that alter trust boundaries:

  • New HTTP Request nodes.
  • New destinations or callback URLs.
  • Changes to webhook paths.
  • New credentials attached to existing workflows.
  • Code node changes that read environment variables.
  • Execute Command or shell-like behavior where enabled.
  • New branches that bypass approval steps.
  • Changes from read-only enrichment to state-changing action.

Not every change is bad. The detection should create review, not panic.

Git-backed review

If workflows are exported to Git, diff them with policy in mind. A simple review bot can label changes:

1
2
3
4
5

workflow: phishing-triage
change: added HTTP Request node
destination: https://api.new-vendor.example
risk: outbound-data-path
review_required: security-platform

Reviewers should see the node type, credential reference, destination, and the upstream data fields that feed it.

Runtime correlation

Change detection gets stronger when paired with execution data:

  • Workflow changed, then failure rate spiked.
  • Workflow changed, then new outbound destination appeared.
  • Workflow changed outside release window.
  • Workflow changed by a user who does not normally edit it.
  • Workflow changed, then downstream API calls increased.

These correlations help distinguish harmless cleanup from meaningful risk.

Response playbook

When a suspicious change appears:

  • Identify the editor, approver, and ticket.
  • Compare the running workflow to the last approved export.
  • Disable the workflow if it crosses a sensitive boundary.
  • Rotate credentials if data may have left approved systems.
  • Preserve execution history and logs before cleanup.

Takeaways

n8n workflow changes deserve the same defensive attention as code changes. Detect new data paths, new privileges, and approval bypasses early, then correlate them with runtime behavior.

blog
n8n detection blue-team audit security
This post is licensed under CC BY 4.0 by the author.