CVE-2026-27578 — MEDIUM (CVSS 5.4) AI Security Vulnerability

CISO Take

If your organization runs n8n for AI workflow automation, patch immediately to 2.10.1 or 1.123.21. Any authenticated user with workflow editing rights can execute arbitrary JavaScript in the browsers of other users — including admins — enabling full account takeover and credential theft for every LLM API key stored in n8n. Treat this as a supply chain risk for your AI pipelines, not just a web app bug.

Risk Assessment

Nominal CVSS of 5.4 understates the real risk for AI-heavy environments. The exploitability is straightforward (authenticated, low-privilege, network-accessible), but the blast radius in an AI orchestration context is severe: n8n workflows typically hold API keys for OpenAI, Anthropic, Azure AI, and connected data stores. Session hijacking via XSS gives an attacker access to every secret in the n8n credential store and the ability to silently modify AI agent workflows. Organizations using n8n as an AI agent orchestrator should treat this as HIGH internally.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	—	No patch
186.5K OpenSSF 6.0 16 dependents Pushed 6d ago 40% patched ~3d to patch Full package profile →
n8n	npm	—	No patch
186.5K OpenSSF 6.0 16 dependents Pushed 6d ago 40% patched ~3d to patch Full package profile →

Severity & Risk

CVSS 3.1

5.4 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 9% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR Low

UI Required

S Changed

C Low

I Low

A None

Recommended Action

5 steps

PATCH

Upgrade to n8n 2.10.1 or 1.123.21 immediately — no workaround fully mitigates the risk.
WORKAROUND (if patching is delayed): Restrict workflow creation/editing to fully-trusted users only; disable the Webhook node via NODES_EXCLUDE=n8n-nodes-base.webhook.
CREDENTIAL ROTATION

Audit and rotate all LLM API keys, database credentials, and OAuth tokens stored in n8n after any potential exposure window.
DETECTION

Review n8n audit logs for unexpected workflow edits, new webhook endpoints, or privilege changes. Monitor for anomalous outbound connections from n8n host.
SEGMENTATION

Ensure n8n is not directly internet-exposed without authentication; restrict admin UI access by IP if feasible.

Classification

Prompt Injection Data Extraction Code Execution Agent RAG API AML.T0010.001 - AI Software AML.T0011 - User Execution AML.T0012 - Valid Accounts AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0080 - AI Agent Context Poisoning AML.T0081 - Modify AI Agent Configuration AML.T0083 - Credentials from AI Agent Configuration AML.T0091.000 - Application Access Token

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity Art.9 - Risk management system Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI system access control A.8.5 - AI system security testing A.9.4 - AI system security

NIST AI RMF

GOVERN-1.7 - Processes for identifying and managing AI risks MANAGE-2.2 - Mechanisms to sustain oversight of AI system operations

OWASP LLM Top 10

LLM06 - Sensitive Information Disclosure LLM06:2025 - Excessive Agency LLM07:2025 - System Prompt Leakage LLM08 - Excessive Agency LLM08:2025 - Vector and Embedding Weaknesses

Frequently Asked Questions

What is CVE-2026-27578?

If your organization runs n8n for AI workflow automation, patch immediately to 2.10.1 or 1.123.21. Any authenticated user with workflow editing rights can execute arbitrary JavaScript in the browsers of other users — including admins — enabling full account takeover and credential theft for every LLM API key stored in n8n. Treat this as a supply chain risk for your AI pipelines, not just a web app bug.

Is CVE-2026-27578 actively exploited?

No confirmed active exploitation of CVE-2026-27578 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-27578?

1. PATCH: Upgrade to n8n 2.10.1 or 1.123.21 immediately — no workaround fully mitigates the risk. 2. WORKAROUND (if patching is delayed): Restrict workflow creation/editing to fully-trusted users only; disable the Webhook node via NODES_EXCLUDE=n8n-nodes-base.webhook. 3. CREDENTIAL ROTATION: Audit and rotate all LLM API keys, database credentials, and OAuth tokens stored in n8n after any potential exposure window. 4. DETECTION: Review n8n audit logs for unexpected workflow edits, new webhook endpoints, or privilege changes. Monitor for anomalous outbound connections from n8n host. 5. SEGMENTATION: Ensure n8n is not directly internet-exposed without authentication; restrict admin UI access by IP if feasible.

What systems are affected by CVE-2026-27578?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, LLM workflow orchestration pipelines, Webhook-triggered AI automation, Multi-step AI pipelines, RAG pipelines with n8n as orchestrator, Human-in-the-loop AI workflows.

What is the CVSS score for CVE-2026-27578?

CVE-2026-27578 has a CVSS v3.1 base score of 5.4 (MEDIUM). The EPSS exploitation probability is 0.03%.

Technical Details

NVD Description

n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, an authenticated user with permission to create or modify workflows could inject arbitrary scripts into pages rendered by the n8n application using different techniques on various nodes (Form Trigger node, Chat Trigger node, Send & Wait node, Webhook Node, and Chat Node). Scripts injected by a malicious workflow execute in the browser of any user who visits the affected page, enabling session hijacking and account takeover. The issues have been fixed in n8n versions 2.10.1 and 1.123.21. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations. Limit workflow creation and editing permissions to fully trusted users only, and/or disable the Webhook node by adding `n8n-nodes-base.webhook` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Exploitation Scenario

A threat actor with access to a low-privilege n8n account (e.g., a contractor, a compromised service account, or an insider) creates or modifies a workflow using the Chat Trigger or Webhook node, embedding a JavaScript payload in the node configuration. When an admin opens the n8n dashboard and navigates to the affected workflow, the script executes in their browser — stealing the session cookie or Bearer token. The attacker replays the stolen token to authenticate as admin, then enumerates all stored credentials (OpenAI API keys, database passwords, Slack tokens), exfiltrates them, and modifies production AI workflows to insert silent data exfiltration steps or prompt injection instructions that affect downstream LLM behavior.