CVE-2026-27578: n8n XSS enables session hijacking

CISO Take

If your organization runs n8n for AI workflow automation, patch immediately to 2.10.1 or 1.123.21. Any authenticated user with workflow editing rights can execute arbitrary JavaScript in the browsers of other users — including admins — enabling full account takeover and credential theft for every LLM API key stored in n8n. Treat this as a supply chain risk for your AI pipelines, not just a web app bug.

What is the risk?

Nominal CVSS of 5.4 understates the real risk for AI-heavy environments. The exploitability is straightforward (authenticated, low-privilege, network-accessible), but the blast radius in an AI orchestration context is severe: n8n workflows typically hold API keys for OpenAI, Anthropic, Azure AI, and connected data stores. Session hijacking via XSS gives an attacker access to every secret in the n8n credential store and the ability to silently modify AI agent workflows. Organizations using n8n as an AI agent orchestrator should treat this as HIGH internally.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	—	No patch
193.4K OpenSSF 6.6 Pushed 3d ago 55% patched ~7d to patch Full package profile →
n8n	npm	—	No patch
193.4K OpenSSF 6.6 Pushed 3d ago 55% patched ~7d to patch Full package profile →

How severe is it?

CVSS 3.1

5.4 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 8% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI Required

S Changed

C Low

I Low

A None

What should I do?

5 steps

PATCH

Upgrade to n8n 2.10.1 or 1.123.21 immediately — no workaround fully mitigates the risk.
WORKAROUND (if patching is delayed): Restrict workflow creation/editing to fully-trusted users only; disable the Webhook node via NODES_EXCLUDE=n8n-nodes-base.webhook.
CREDENTIAL ROTATION

Audit and rotate all LLM API keys, database credentials, and OAuth tokens stored in n8n after any potential exposure window.
DETECTION

Review n8n audit logs for unexpected workflow edits, new webhook endpoints, or privilege changes. Monitor for anomalous outbound connections from n8n host.
SEGMENTATION

Ensure n8n is not directly internet-exposed without authentication; restrict admin UI access by IP if feasible.

How is it classified?

Prompt Injection Data Extraction Code Execution Agent RAG API AML.T0010.001 - AI Software AML.T0011 - User Execution AML.T0012 - Valid Accounts AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0080 - AI Agent Context Poisoning AML.T0081 - Modify AI Agent Configuration AML.T0083 - Credentials from AI Agent Configuration AML.T0091.000 - Application Access Token

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity Art.9 - Risk management system Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI system access control A.8.5 - AI system security testing A.9.4 - AI system security

NIST AI RMF

GOVERN-1.7 - Processes for identifying and managing AI risks MANAGE-2.2 - Mechanisms to sustain oversight of AI system operations

OWASP LLM Top 10

LLM06 - Sensitive Information Disclosure LLM06:2025 - Excessive Agency LLM07:2025 - System Prompt Leakage LLM08 - Excessive Agency LLM08:2025 - Vector and Embedding Weaknesses

Frequently Asked Questions

What is CVE-2026-27578?

If your organization runs n8n for AI workflow automation, patch immediately to 2.10.1 or 1.123.21. Any authenticated user with workflow editing rights can execute arbitrary JavaScript in the browsers of other users — including admins — enabling full account takeover and credential theft for every LLM API key stored in n8n. Treat this as a supply chain risk for your AI pipelines, not just a web app bug.

Is CVE-2026-27578 actively exploited?

No confirmed active exploitation of CVE-2026-27578 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-27578?

1. PATCH: Upgrade to n8n 2.10.1 or 1.123.21 immediately — no workaround fully mitigates the risk. 2. WORKAROUND (if patching is delayed): Restrict workflow creation/editing to fully-trusted users only; disable the Webhook node via NODES_EXCLUDE=n8n-nodes-base.webhook. 3. CREDENTIAL ROTATION: Audit and rotate all LLM API keys, database credentials, and OAuth tokens stored in n8n after any potential exposure window. 4. DETECTION: Review n8n audit logs for unexpected workflow edits, new webhook endpoints, or privilege changes. Monitor for anomalous outbound connections from n8n host. 5. SEGMENTATION: Ensure n8n is not directly internet-exposed without authentication; restrict admin UI access by IP if feasible.

What systems are affected by CVE-2026-27578?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, LLM workflow orchestration pipelines, Webhook-triggered AI automation, Multi-step AI pipelines, RAG pipelines with n8n as orchestrator, Human-in-the-loop AI workflows.

What is the CVSS score for CVE-2026-27578?

CVE-2026-27578 has a CVSS v3.1 base score of 5.4 (MEDIUM). The EPSS exploitation probability is 0.18%.

What is the AI security impact?

Affected AI Architectures

AI agent frameworksLLM workflow orchestration pipelinesWebhook-triggered AI automationMulti-step AI pipelinesRAG pipelines with n8n as orchestratorHuman-in-the-loop AI workflows

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0011 User Execution

AML.T0012 Valid Accounts

AML.T0025 Exfiltration via Cyber Means

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0080 AI Agent Context Poisoning

AML.T0081 Modify AI Agent Configuration

AML.T0083 Credentials from AI Agent Configuration

AML.T0091.000 Application Access Token

Compliance Controls Affected

EU AI Act: Art.15, Art.9, Article 15

ISO 42001: A.6.2.6, A.8.5, A.9.4

NIST AI RMF: GOVERN-1.7, MANAGE-2.2

OWASP LLM Top 10: LLM06, LLM06:2025, LLM07:2025, LLM08, LLM08:2025

What are the technical details?

Original Advisory

n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, an authenticated user with permission to create or modify workflows could inject arbitrary scripts into pages rendered by the n8n application using different techniques on various nodes (Form Trigger node, Chat Trigger node, Send & Wait node, Webhook Node, and Chat Node). Scripts injected by a malicious workflow execute in the browser of any user who visits the affected page, enabling session hijacking and account takeover. The issues have been fixed in n8n versions 2.10.1 and 1.123.21. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations. Limit workflow creation and editing permissions to fully trusted users only, and/or disable the Webhook node by adding `n8n-nodes-base.webhook` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Exploitation Scenario

A threat actor with access to a low-privilege n8n account (e.g., a contractor, a compromised service account, or an insider) creates or modifies a workflow using the Chat Trigger or Webhook node, embedding a JavaScript payload in the node configuration. When an admin opens the n8n dashboard and navigates to the affected workflow, the script executes in their browser — stealing the session cookie or Bearer token. The attacker replays the stolen token to authenticate as admin, then enumerates all stored credentials (OpenAI API keys, database passwords, Slack tokens), exfiltrates them, and modifies production AI workflows to insert silent data exfiltration steps or prompt injection instructions that affect downstream LLM behavior.

Weaknesses (CWE)

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Primary CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) Primary

CWE-79 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'): The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

[Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.
[Implementation, Architecture and Design] Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies. For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters. Parts of the same output document may require different encodings, which will vary depending on whether the output is in the: etc. Note that HTML Entity Encoding is only appropriate for the HTML body. Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types of encoding and escaping that are needed. HTML body Element attributes (such as src="XYZ") URIs JavaScript sections Casca

Source: MITRE CWE corpus.