CVE-2026-33749: n8n stored XSS enables credential

Q: Is CVE-2026-33749 actively exploited?

No confirmed active exploitation of CVE-2026-33749 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-33749?

1. PATCH: Upgrade to n8n 1.123.27, 2.13.3, or 2.14.1 immediately — this is the only full remediation. 2. RESTRICT (if patching delayed): Revoke workflow creation/edit permissions from all non-essential users via n8n RBAC; treat it as a break-glass scenario. 3. ROTATE: Rotate all API credentials stored in n8n (LLM API keys, DB passwords, cloud tokens, webhook secrets) if you cannot confirm no exploitation occurred. 4. DETECT: Audit n8n access logs for unusual requests to /rest/binary-data and admin endpoint calls from non-admin sessions. 5. NETWORK: If hosting n8n, restrict access to internal networks only and block unauthenticated external access to the instance. 6. MONITOR: Alert on admin privilege escalation events and bulk workflow reads post-incident.

Q: What systems are affected by CVE-2026-33749?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, workflow automation platforms, AI integration pipelines, LLM orchestration layers, multi-tool AI agents.

Q: What is the CVSS score for CVE-2026-33749?

CVE-2026-33749 has a CVSS v3.1 base score of 9.0 (CRITICAL). The EPSS exploitation probability is 0.25%.

CISO Take

If your teams use n8n for AI agent automation or integration workflows, patch immediately to 1.123.27, 2.13.3, or 2.14.1 — n8n stores API keys and credentials for every integration, and this vulnerability hands all of them to an attacker via a single crafted URL sent to an admin. Until patched, restrict workflow creation/edit permissions to fully trusted users only, as any authenticated user with edit rights is a potential attacker. The blast radius is total: credentials, workflow logic, and admin access are all at stake.

What is the risk?

High operational risk for AI teams despite moderate EPSS (0.00038). CVSS 9.0 reflects the C:H/I:H/A:H scope-changed impact accurately. n8n is the de facto 'glue' for AI agent pipelines — it holds API keys for LLM providers, databases, SaaS tools, and cloud services. Privilege escalation to admin via a single phishing URL makes this a full platform compromise. Exploitation requires only a low-privilege authenticated account, making insider threat and compromised-account scenarios highly plausible. The attack requires user interaction (victim clicks URL), which is the main friction point.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	< 1.123.27	`1.123.27`
194.3K OpenSSF 6.6 Pushed yesterday 54% patched ~7d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1

9.0 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 16% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI Required

S Changed

C High

I High

A High

What should I do?

6 steps

PATCH

Upgrade to n8n 1.123.27, 2.13.3, or 2.14.1 immediately — this is the only full remediation.
RESTRICT (if patching delayed): Revoke workflow creation/edit permissions from all non-essential users via n8n RBAC; treat it as a break-glass scenario.
ROTATE

Rotate all API credentials stored in n8n (LLM API keys, DB passwords, cloud tokens, webhook secrets) if you cannot confirm no exploitation occurred.
DETECT

Audit n8n access logs for unusual requests to /rest/binary-data and admin endpoint calls from non-admin sessions.
NETWORK

If hosting n8n, restrict access to internal networks only and block unauthenticated external access to the instance.
MONITOR

Alert on admin privilege escalation events and bulk workflow reads post-incident.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Auth Bypass Code Execution Agent Framework API AML.T0011.003 - Malicious Link AML.T0012 - Valid Accounts AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0081 - Modify AI Agent Configuration AML.T0083 - Credentials from AI Agent Configuration AML.T0084 - Discover AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.3 - Access control for AI systems A.9.3 - Protection of AI system information

NIST AI RMF

GOVERN 6.1 - Policies and procedures for AI risk management MANAGE 2.2 - Mechanisms are in place to inventory AI systems and their outputs

OWASP LLM Top 10

LLM06:2025 - Sensitive Information Disclosure LLM08:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-33749?

If your teams use n8n for AI agent automation or integration workflows, patch immediately to 1.123.27, 2.13.3, or 2.14.1 — n8n stores API keys and credentials for every integration, and this vulnerability hands all of them to an attacker via a single crafted URL sent to an admin. Until patched, restrict workflow creation/edit permissions to fully trusted users only, as any authenticated user with edit rights is a potential attacker. The blast radius is total: credentials, workflow logic, and admin access are all at stake.

Is CVE-2026-33749 actively exploited?

No confirmed active exploitation of CVE-2026-33749 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-33749?

1. PATCH: Upgrade to n8n 1.123.27, 2.13.3, or 2.14.1 immediately — this is the only full remediation. 2. RESTRICT (if patching delayed): Revoke workflow creation/edit permissions from all non-essential users via n8n RBAC; treat it as a break-glass scenario. 3. ROTATE: Rotate all API credentials stored in n8n (LLM API keys, DB passwords, cloud tokens, webhook secrets) if you cannot confirm no exploitation occurred. 4. DETECT: Audit n8n access logs for unusual requests to /rest/binary-data and admin endpoint calls from non-admin sessions. 5. NETWORK: If hosting n8n, restrict access to internal networks only and block unauthenticated external access to the instance. 6. MONITOR: Alert on admin privilege escalation events and bulk workflow reads post-incident.

What systems are affected by CVE-2026-33749?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, workflow automation platforms, AI integration pipelines, LLM orchestration layers, multi-tool AI agents.

What is the CVSS score for CVE-2026-33749?

CVE-2026-33749 has a CVSS v3.1 base score of 9.0 (CRITICAL). The EPSS exploitation probability is 0.25%.

What is the AI security impact?

Affected AI Architectures

agent frameworksworkflow automation platformsAI integration pipelinesLLM orchestration layersmulti-tool AI agents

MITRE ATLAS Techniques

AML.T0011.003 Malicious Link

AML.T0012 Valid Accounts

AML.T0025 Exfiltration via Cyber Means

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0081 Modify AI Agent Configuration

AML.T0083 Credentials from AI Agent Configuration

AML.T0084 Discover AI Agent Configuration

Compliance Controls Affected

EU AI Act: Art.15

ISO 42001: A.6.2.3, A.9.3

NIST AI RMF: GOVERN 6.1, MANAGE 2.2

OWASP LLM Top 10: LLM06:2025, LLM08:2025

What are the technical details?

Original Advisory

n8n is an open source workflow automation platform. Prior to versions 1.123.27, 2.13.3, and 2.14.1, an authenticated user with permission to create or modify workflows could craft a workflow that produces an HTML binary data object without a filename. The `/rest/binary-data` endpoint served such responses inline on the n8n origin without `Content-Disposition` or `Content-Security-Policy` headers, allowing the HTML to render in the browser with full same-origin JavaScript access. By sending the resulting URL to a higher-privileged user, an attacker could execute JavaScript in the victim's authenticated session, enabling exfiltration of workflows and credentials, modification of workflows, or privilege escalation to admin. The issue has been fixed in n8n versions 1.123.27, 2.13.3, and 2.14.1. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, and/or restrict network access to the n8n instance to prevent untrusted users from accessing binary data URLs. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Exploitation Scenario

An attacker with a low-privilege n8n account (e.g., a contractor, junior dev, or compromised service account) crafts a workflow that generates an HTML payload as a binary output object with no filename. The /rest/binary-data endpoint serves this HTML inline with no Content-Disposition or CSP headers, so the browser renders it as live HTML on the n8n origin. The attacker copies the resulting URL and sends it via Slack/email to an n8n admin ('hey, this workflow output looks broken, can you check?'). When the admin opens the URL in their authenticated browser session, the JavaScript executes with full same-origin access — silently POSTing all stored credentials and workflow definitions to an attacker-controlled endpoint, then creating a backdoor admin account. The admin sees a blank page or error and thinks nothing of it.

Weaknesses (CWE)

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Primary CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Primary

CWE-79 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'): The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

[Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.
[Implementation, Architecture and Design] Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies. For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters. Parts of the same output document may require different encodings, which will vary depending on whether the output is in the: etc. Note that HTML Entity Encoding is only appropriate for the HTML body. Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types of encoding and escaping that are needed. HTML body Element attributes (such as src="XYZ") URIs JavaScript sections Casca

Source: MITRE CWE corpus.