CVE-2026-27578
Stored Cross-Site Scripting in n8n Workflow Nodes Enables Account Takeover
Publication date: 2026-02-25
Last updated on: 2026-03-04
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| n8n | n8n | to 1.123.22 (exc) |
| n8n | n8n | From 2.0.0 (inc) to 2.9.3 (exc) |
| n8n | n8n | From 2.10.0 (inc) to 2.10.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-80 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects the n8n workflow automation platform prior to versions 2.10.1, 2.9.3, and 1.123.22. An authenticated user with permission to create or modify workflows can inject arbitrary scripts into pages rendered by the n8n application using various nodes such as the Form Trigger node, Chat Trigger node, Send & Wait node, Webhook Node, and Chat Node.
These injected scripts execute in the browser of any user who visits the affected page, which can lead to session hijacking and account takeover.
The vulnerability has been fixed in n8n versions 2.10.1 and 1.123.21. Temporary mitigations include limiting workflow creation and editing permissions to fully trusted users and disabling the Webhook node by adding it to the NODES_EXCLUDE environment variable, though these do not fully remediate the risk.
How can this vulnerability impact me? :
This vulnerability can allow an attacker who has workflow creation or modification permissions to inject malicious scripts that execute in the browsers of other users visiting the affected pages.
The impact includes session hijacking and account takeover, which can lead to unauthorized access to user accounts and potentially sensitive data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, users should upgrade n8n to versions 2.10.1 or 1.123.21 or later, where the issue has been fixed.
If upgrading is not immediately possible, administrators should limit workflow creation and editing permissions to fully trusted users only.
Additionally, disabling the Webhook node by adding `n8n-nodes-base.webhook` to the `NODES_EXCLUDE` environment variable can serve as a temporary mitigation.
Note that these workarounds do not fully remediate the risk and should only be used as short-term measures.