CVE-2026-27578
📋 TL;DR
This CVE describes a cross-site scripting (XSS) vulnerability in n8n workflow automation platform where authenticated users with workflow creation/modification permissions can inject malicious scripts into pages rendered by the application. The injected scripts execute in the browser of any user visiting affected pages, enabling session hijacking and account takeover. This affects all n8n instances running vulnerable versions.
💻 Affected Systems
- n8n
📦 What is this software?
N8n by N8n
N8n by N8n
N8n by N8n
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover of any user visiting maliciously crafted pages, leading to data theft, privilege escalation, and full compromise of the n8n instance.
Likely Case
Session hijacking of users who interact with workflows containing malicious scripts, potentially leading to unauthorized access to sensitive workflow data and automation capabilities.
If Mitigated
Limited impact if only trusted administrators have workflow creation permissions and proper input validation is enforced.
🎯 Exploit Status
Exploitation requires authenticated access with workflow permissions. The vulnerability is well-documented in the security advisory with specific node types identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.10.1, 2.9.3, or 1.123.22
Vendor Advisory: https://github.com/n8n-io/n8n/security/advisories/GHSA-2p9h-rqjw-gm92
Restart Required: Yes
Instructions:
1. Backup your n8n instance and workflows. 2. Stop the n8n service. 3. Update n8n to version 2.10.1, 2.9.3, or 1.123.22 using your package manager or deployment method. 4. Restart the n8n service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Restrict workflow permissions
allLimit workflow creation and editing permissions to fully trusted users only
Disable Webhook node
linuxAdd webhook node to excluded nodes list to disable one of the vulnerable components
export NODES_EXCLUDE="n8n-nodes-base.webhook"
🧯 If You Can't Patch
- Implement strict access controls limiting workflow creation/modification to minimal trusted users
- Monitor workflow changes and audit all existing workflows for suspicious script content
🔍 How to Verify
Check if Vulnerable:
Check n8n version via web interface or API. If version is below 2.10.1, 2.9.3, or 1.123.22, the system is vulnerable.Check Version:
curl -X GET http://localhost:5678/rest/health or check n8n web interface settingsVerify Fix Applied:
After updating, verify version is 2.10.1, 2.9.3, or 1.123.22 or higher. Test workflow creation with script injection attempts to confirm they are blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual workflow modifications
- Multiple failed script execution attempts
- Suspicious node configurations in workflow logs
Network Indicators:
- Unexpected JavaScript payloads in workflow data
- Suspicious script tags in form/chat submissions
SIEM Query:
source="n8n" AND ("workflow modified" OR "script" OR "inject")🔗 References
- https://github.com/n8n-io/n8n/commit/062644ef786b6af480afe4a0f12bc6d70040534a
- https://github.com/n8n-io/n8n/commit/1479aab2d32fe0ee087f82b9038b1035c98be2f6
- https://github.com/n8n-io/n8n/commit/9e5212ecbc5d2d4e6f340b636a5e84be6369882e
- https://github.com/n8n-io/n8n/security/advisories/GHSA-2p9h-rqjw-gm92
