CVE-2026-33749

n8n: stored XSS enables credential theft via workflow

Published March 25, 2026

CISO Take

If your teams use n8n for AI agent automation or integration workflows, patch immediately to 1.123.27, 2.13.3, or 2.14.1 — n8n stores API keys and credentials for every integration, and this vulnerability hands all of them to an attacker via a single crafted URL sent to an admin. Until patched, restrict workflow creation/edit permissions to fully trusted users only, as any authenticated user with edit rights is a potential attacker. The blast radius is total: credentials, workflow logic, and admin access are all at stake.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	< 1.123.27	`1.123.27`

Do you use n8n? You're affected.

Severity & Risk

CVSS 3.1

9.0 / 10

EPSS

0.0%

chance of exploitation in 30 days

KEV Status

Not in KEV

Sophistication

Trivial

Recommended Action

1. PATCH: Upgrade to n8n 1.123.27, 2.13.3, or 2.14.1 immediately — this is the only full remediation. 2. RESTRICT (if patching delayed): Revoke workflow creation/edit permissions from all non-essential users via n8n RBAC; treat it as a break-glass scenario. 3. ROTATE: Rotate all API credentials stored in n8n (LLM API keys, DB passwords, cloud tokens, webhook secrets) if you cannot confirm no exploitation occurred. 4. DETECT: Audit n8n access logs for unusual requests to /rest/binary-data and admin endpoint calls from non-admin sessions. 5. NETWORK: If hosting n8n, restrict access to internal networks only and block unauthenticated external access to the instance. 6. MONITOR: Alert on admin privilege escalation events and bulk workflow reads post-incident.

Classification

Data Extraction Auth Bypass Code Execution Agent Framework API AML.T0011.003 - Malicious Link AML.T0012 - Valid Accounts AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0081 - Modify AI Agent Configuration AML.T0083 - Credentials from AI Agent Configuration AML.T0084 - Discover AI Agent Configuration

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.3 - Access control for AI systems A.9.3 - Protection of AI system information

NIST AI RMF

GOVERN 6.1 - Policies and procedures for AI risk management MANAGE 2.2 - Mechanisms are in place to inventory AI systems and their outputs

OWASP LLM Top 10

LLM06:2025 - Sensitive Information Disclosure LLM08:2025 - Excessive Agency

Technical Details

NVD Description

n8n is an open source workflow automation platform. Prior to versions 1.123.27, 2.13.3, and 2.14.1, an authenticated user with permission to create or modify workflows could craft a workflow that produces an HTML binary data object without a filename. The `/rest/binary-data` endpoint served such responses inline on the n8n origin without `Content-Disposition` or `Content-Security-Policy` headers, allowing the HTML to render in the browser with full same-origin JavaScript access. By sending the resulting URL to a higher-privileged user, an attacker could execute JavaScript in the victim's authenticated session, enabling exfiltration of workflows and credentials, modification of workflows, or privilege escalation to admin. The issue has been fixed in n8n versions 1.123.27, 2.13.3, and 2.14.1. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, and/or restrict network access to the n8n instance to prevent untrusted users from accessing binary data URLs. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Exploitation Scenario

An attacker with a low-privilege n8n account (e.g., a contractor, junior dev, or compromised service account) crafts a workflow that generates an HTML payload as a binary output object with no filename. The /rest/binary-data endpoint serves this HTML inline with no Content-Disposition or CSP headers, so the browser renders it as live HTML on the n8n origin. The attacker copies the resulting URL and sends it via Slack/email to an n8n admin ('hey, this workflow output looks broken, can you check?'). When the admin opens the URL in their authenticated browser session, the JavaScript executes with full same-origin access — silently POSTing all stored credentials and workflow definitions to an attacker-controlled endpoint, then creating a backdoor admin account. The admin sees a blank page or error and thinks nothing of it.

Weaknesses (CWE)

CWE-79 Primary CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

References

Timeline

Published

March 25, 2026

Last Modified

March 27, 2026

First Seen

March 25, 2026

Back to Threat Feed