Description
n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, an authenticated user with permission to create or modify workflows could inject arbitrary scripts into pages rendered by the n8n application using different techniques on various nodes (Form Trigger node, Chat Trigger node, Send & Wait node, Webhook Node, and Chat Node). Scripts injected by a malicious workflow execute in the browser of any user who visits the affected page, enabling session hijacking and account takeover. The issues have been fixed in n8n versions 2.10.1 and 1.123.21. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations. Limit workflow creation and editing permissions to fully trusted users only, and/or disable the Webhook node by adding `n8n-nodes-base.webhook` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
Published: 2026-02-25
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS allowing session hijack and account takeover
Action: Immediate Patch
AI Analysis

Impact

This vulnerability enables an authenticated user with workflow creation or editing rights to embed arbitrary scripts into pages generated by the n8n application. When other users view pages rendered by a malicious workflow, the injected code runs in their browsers, giving the attacker full control over their session and the ability to log into the system as them. The issue is a classic example of Cross‑Site Scripting, classified as CWE‑79 and CWE‑80.

Affected Systems

n8n‑io’s n8n workflow automation platform is affected. Versions before 2.10.1, 2.9.3, and 1.123.22 contain the flaw; these should be considered vulnerable until an authorized upgrade is applied.

Risk and Exploitability

The CVSS score of 8.5 indicates high severity, but the EPSS score of less than 1 % suggests exploitation is currently rare. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through a web‑based interface used by an authenticated user to create or edit workflows, which is inferred from the description. If exploited, attackers can hijack user sessions and compromise account integrity. The risk remains moderate due to low exploitation probability, yet the potential impact warrants urgent remediation.

Generated by OpenCVE AI on April 17, 2026 at 14:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade n8n to version 2.10.1, 2.9.3, or 1.123.21 or any later release that includes the fix
  • Restrict workflow creation and editing permissions to fully trusted users only
  • Temporarily disable the Webhook node by adding n8n-nodes-base.webhook to the NODES_EXCLUDE environment variable
  • Continuously monitor workflow activity for suspicious or unauthorized modifications

Generated by OpenCVE AI on April 17, 2026 at 14:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2p9h-rqjw-gm92 n8n Vulnerable to Stored XSS via Various Nodes
History

Wed, 04 Mar 2026 03:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared N8n
N8n n8n
Vendors & Products N8n
N8n n8n

Wed, 25 Feb 2026 23:00:00 +0000

Type Values Removed Values Added
Description n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, an authenticated user with permission to create or modify workflows could inject arbitrary scripts into pages rendered by the n8n application using different techniques on various nodes (Form Trigger node, Chat Trigger node, Send & Wait node, Webhook Node, and Chat Node). Scripts injected by a malicious workflow execute in the browser of any user who visits the affected page, enabling session hijacking and account takeover. The issues have been fixed in n8n versions 2.10.1 and 1.123.21. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations. Limit workflow creation and editing permissions to fully trusted users only, and/or disable the Webhook node by adding `n8n-nodes-base.webhook` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
Title n8n Vulnerable to Stored XSS via Various Nodes
Weaknesses CWE-79
CWE-80
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

N8n N8n
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T20:16:20.758Z

Reserved: 2026-02-20T17:40:28.449Z

Link: CVE-2026-27578

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T23:16:21.560

Modified: 2026-03-04T03:24:40.543

Link: CVE-2026-27578

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:45:21Z

Weaknesses