Who this is for: Security engineers, DevOps staff, and n8n administrators who need to verify that default authentication settings are not exposing their automation platform. We cover this in detail in the n8n Security & Hardening Guide.
Quick Diagnosis & Fix
| Symptom | Immediate Check | Fix (≤ 5 min) |
|---|---|---|
You can log into n8n with user: admin pass: admin (or empty) |
# Probe the API curl -s -u admin:admin http://<host>:5678/rest/workflows | head (JSON output → default creds are active) |
Set a strong admin password or disable basic auth. Example for Docker‑Compose:
environment: - N8N_BASIC_AUTH_USER=admin - N8N_BASIC_AUTH_PASSWORD=Super$3cureP@ss! Restart the container. |
1. What “Default Credentials” Mean in n8n?
If you encounter any environment variable secrets leakage resolve them before continuing with the setup.
| Component | Default Value (if unset) |
|---|---|
| Basic Auth Username | admin (hard‑coded fallback) |
| Basic Auth Password | admin or empty (version‑dependent) |
| JWT Secret | n8n (used for internal API tokens) |
EEFA note: These fallbacks are compiled into the binary. Changing the UI password does not affect the basic‑auth endpoint unless you explicitly set the environment variables.
2. Why Default Admin Credentials Are Critical?
- Full workflow access – attackers can read, modify, or delete any workflow, exposing secrets and external API keys.
- Privilege escalation – admin rights allow insertion of nodes that execute shell commands or launch containers.
- Persistence across restarts – defaults survive container redeploys, giving attackers a lasting foothold.
- Compliance risk – leaking personal data or API credentials can breach GDPR, HIPAA, PCI‑DSS, etc.
- Resolve insecure webhook exposure before continuing with the setup.
3. Detecting Active Default Credentials
3.1 Manual HTTP Probe
# Replace <host> with your n8n URL
curl -s -o /dev/null -w "%{http_code}" -u admin:admin http://<host>:5678/rest/workflows
Result: 200 → default credentials work; 401 → they are disabled or changed.
3.2 Automated Scan with Nmap NSE
nmap -p 5678 --script http-auth-finder <host>
The script flags “default credentials found” when a 200 response is returned for admin:admin.
3.3 Internal Audit via n8n CLI
n8n user:list --auth admin:admin
Success indicates the CLI can authenticate with the fallback credentials.
EEFA warning: Running the CLI against production may trigger alerts; restrict it to a safe IP range or a temporary network namespace.
4. Remediation Step‑by‑Step
4.1 Set Strong Basic‑Auth Credentials (Docker / Docker‑Compose)
Define the environment variables (keep the user name if you wish, but generate a strong password):
environment: - N8N_BASIC_AUTH_USER=admin - N8N_BASIC_AUTH_PASSWORD=Super$3cureP@ss!
Apply the changes by restarting the service:
docker compose up -d n8n
Checklist before restart
- Password length ≥ 16 characters
- Contains upper‑case, lower‑case, digits, and special symbols (
!@#$%^&*) - Stored securely (Docker secrets, env‑file, or secret manager)
4.2 Disable Basic Auth When Using an External IdP
If you rely on OAuth, SSO, or another identity provider, turn off the fallback:
environment: - N8N_BASIC_AUTH_ACTIVE=false # disables hard‑coded fallback - N8N_AUTH_DEFAULT_ROLES=owner # role assigned by the IdP
EEFA note: Disabling basic auth without a working IdP will lock out all users. Configure the IdP first.
4.3 Rotate Credentials Periodically
Create a small script that generates a new password and updates the Docker secret:
# Generate a random 32‑byte password NEW_PASS=$(openssl rand -base64 32)
# Update the secret and restart the service docker secret create n8n_pass - <<<"$NEW_PASS" docker service update --secret-rm n8n_pass --secret-add source=n8n_pass,target=N8N_BASIC_AUTH_PASSWORD n8n_n8n
Schedule it weekly (0 2 * * 0) via cron.
4.4 Enforce 2‑Factor Authentication via an IdP
n8n does not provide native 2FA. Integrate with **Keycloak**, **Okta**, or another provider and enable MFA on that side. If you encounter any jwt auth misconfiguration resolve them before continuing with the setup.
5. Hardening Recommendations Beyond Password Change
| Recommendation | Implementation |
|---|---|
| Reverse proxy with IP allow‑list | Nginx allow 203.0.113.0/24; deny all; |
| Rate‑limit login attempts | N8N_RATE_LIMIT_MAX=5 and N8N_RATE_LIMIT_WINDOW=60 |
| Store secrets with Docker secrets or Vault | Provide N8N_ENCRYPTION_KEY from a secret store |
| Enforce HTTPS only | N8N_PROTOCOL=https + valid TLS cert |
| Forward logs to SIEM | Ship /root/.n8n/.n8n.log to Splunk/ELK |
6. Common Pitfalls & How to Avoid Them
| Pitfall | Symptom | Corrective Action |
|---|---|---|
Plain‑text password in .env |
Password appears in docker inspect output |
Use Docker secrets or Kubernetes Secret objects |
| UI password changed but basic‑auth fallback left | UI login works, API still accepts admin:admin |
Always set N8N_BASIC_AUTH_USER / N8N_BASIC_AUTH_PASSWORD |
| Restart without persisting env file | Credentials revert to defaults after reboot | Mount a persistent env‑file or secret volume |
| Default JWT secret unchanged | Tokens can be forged if attacker knows n8n |
Set N8N_JWT_SECRET to a strong random value |
7. Monitoring & Alerting
Enable the built‑in Prometheus exporter:
environment: - N8N_METRICS=true - N8N_METRICS_PORT=5679
Add an alert rule that fires when the default admin logs in:
groups:
- name: n8n-security
rules:
- alert: DefaultCredsStillActive
expr: n8n_http_auth_success{user="admin"} > 0
for: 5m
labels:
severity: critical
annotations:
summary: "Default n8n admin credentials still active"
description: "An HTTP request succeeded using admin:admin. Immediate remediation required."
8. Frequently Asked Questions
Q: Does changing the UI password automatically secure the API?
A: No. The UI password updates the internal user DB only. The basic‑auth endpoint still falls back to the compiled defaults unless you set N8N_BASIC_AUTH_USER / N8N_BASIC_AUTH_PASSWORD.
Q: Can I use LDAP instead of basic auth?
A: Yes. Set N8N_AUTHENTICATION=ldap and supply the required LDAP variables. This disables the fallback basic‑auth entirely.
Q: Is the default JWT secret used for webhook authentication?
A: Only for internal token generation (e.g., API‑token endpoint). Webhook signatures use a separate HMAC secret (N8N_WEBHOOK_TUNNEL_URL). Still, replace the JWT secret to prevent token forgery.
Conclusion
Default credentials in n8n provide a trivial entry point for attackers, exposing every workflow and any embedded secrets. By setting strong basic‑auth values, disabling the fallback when using an IdP, rotating secrets regularly, and layering network, rate‑limit, and monitoring controls, you eliminate the most exploitable attack surface and meet real‑world compliance requirements. Implement these steps today to secure your automation pipelines in production.
