We take all security reports seriously. If you believe you have found a security issue in this project, please report it as described below. Do not create a public GitHub issue for security vulnerabilities.
Please report security issues to AWS Security via aws-security@amazon.com, or directly via the AWS Vulnerability Reporting page.
Include the following in your report:
- A description of the vulnerability and its potential impact
- Steps to reproduce, or a proof-of-concept
- The version of
n8n-nodes-agentcoreaffected - Your n8n version and deployment environment (self-hosted, Docker, etc.)
- Any known mitigations or workarounds
Please do not include sensitive data (credentials, customer PII, production URLs) in the report body. If you need to share sensitive reproduction data, indicate that in your initial report and we will coordinate a secure channel.
- We will acknowledge receipt within 3 business days
- We will provide an initial assessment within 7 business days
- For confirmed issues, we will coordinate a fix and disclosure timeline with the reporter
- Fixes will be released as a patch version on npm with a corresponding GitHub Security Advisory
In scope:
- Vulnerabilities in the
n8n-nodes-agentcorepackage code, its credentials handler, or its interaction with the AWS SDK - Credential leakage, improper session handling, insecure defaults in the node
- Supply chain concerns about the published npm artifact
Out of scope:
- Vulnerabilities in n8n itself — please report those to n8n's security process
- Vulnerabilities in Amazon Bedrock AgentCore — please report via the AWS Vulnerability Reporting page
- Vulnerabilities in third-party MCP servers, tool providers, or foundation models invoked through this node — please report to the respective vendors
- Issues in user-authored n8n workflows that happen to use this node
AWS considers good-faith security research to be authorized activity that is protected. For details, see the AWS vulnerability disclosure policy.
We appreciate the security community's efforts. Reporters who follow this process and help us ship a fix will be credited in the advisory (unless they prefer to remain anonymous).