GHSA-q4fm-pjq6-m63g: n8n: Stored XSS in Form Trigger enables phishing

GHSA-q4fm-pjq6-m63g MEDIUM
Published March 27, 2026
CISO Take

Any authenticated n8n user with workflow edit rights can plant a persistent XSS payload in a public Form Trigger node, silently hijacking form submissions and phishing every visitor until patched. Upgrade to n8n 2.12.0, 2.11.2, or 1.123.25 immediately. If patching is delayed, lock down workflow creation to fully trusted users only and consider disabling the Form Trigger node entirely via NODES_EXCLUDE.

What is the risk?

CVSS 5.4 Medium understates operational risk for organizations using n8n as an AI agent orchestration platform. The stored nature of the XSS means a single exploit persists and affects every future form visitor without requiring repeated attacker interaction. The attack requires only low-privilege authenticated access (workflow creator), a role commonly granted in team deployments. Existing CSP mitigates session cookie theft but does not prevent script execution, form action manipulation, or credential harvesting. Risk is elevated for any n8n instance with externally published forms collecting user data or credentials.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
n8n npm >= 2.0.0-rc.0, < 2.11.2 2.11.2
194.3K OpenSSF 6.6 Pushed 6d ago 53% patched ~7d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1
5.4 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI Required
S Changed
C Low
I Low
A None

What should I do?

6 steps
  1. PATCH

    Upgrade n8n to 2.12.0, 2.11.2 (2.x branch), or 1.123.25 (1.x branch) immediately.

  2. AUDIT

    Review all existing Form Trigger nodes for suspicious CSS or HTML content, especially inline styles or script-like patterns in form field definitions.

  3. RBAC

    Restrict workflow create/modify permissions to fully trusted users only — revoke from any accounts not strictly requiring it.

  4. DISABLE

    If upgrading is not immediately possible, add 'n8n-nodes-base.formTrigger' to the NODES_EXCLUDE environment variable to disable the node entirely.

  5. MONITOR

    Log all form trigger node creations and modifications; alert on changes by non-admin accounts.

  6. VERIFY

    After patching, confirm no malicious payloads persist in existing form configurations by re-exporting and inspecting workflow JSON.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, Robustness and Cybersecurity
ISO 42001
A.6.2 - AI System Security by Design
NIST AI RMF
MS-2.5 - Testing and Evaluation of AI System Security
OWASP LLM Top 10
LLM05 - Improper Output Handling

Frequently Asked Questions

What is GHSA-q4fm-pjq6-m63g?

Any authenticated n8n user with workflow edit rights can plant a persistent XSS payload in a public Form Trigger node, silently hijacking form submissions and phishing every visitor until patched. Upgrade to n8n 2.12.0, 2.11.2, or 1.123.25 immediately. If patching is delayed, lock down workflow creation to fully trusted users only and consider disabling the Form Trigger node entirely via NODES_EXCLUDE.

Is GHSA-q4fm-pjq6-m63g actively exploited?

No confirmed active exploitation of GHSA-q4fm-pjq6-m63g has been reported, but organizations should still patch proactively.

How to fix GHSA-q4fm-pjq6-m63g?

1. PATCH: Upgrade n8n to 2.12.0, 2.11.2 (2.x branch), or 1.123.25 (1.x branch) immediately. 2. AUDIT: Review all existing Form Trigger nodes for suspicious CSS or HTML content, especially inline styles or script-like patterns in form field definitions. 3. RBAC: Restrict workflow create/modify permissions to fully trusted users only — revoke from any accounts not strictly requiring it. 4. DISABLE: If upgrading is not immediately possible, add 'n8n-nodes-base.formTrigger' to the NODES_EXCLUDE environment variable to disable the node entirely. 5. MONITOR: Log all form trigger node creations and modifications; alert on changes by non-admin accounts. 6. VERIFY: After patching, confirm no malicious payloads persist in existing form configurations by re-exporting and inspecting workflow JSON.

What systems are affected by GHSA-q4fm-pjq6-m63g?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, workflow automation pipelines, human-in-the-loop AI systems, data collection pipelines.

What is the CVSS score for GHSA-q4fm-pjq6-m63g?

GHSA-q4fm-pjq6-m63g has a CVSS v3.1 base score of 5.4 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

agent frameworksworkflow automation pipelineshuman-in-the-loop AI systemsdata collection pipelines

MITRE ATLAS Techniques

AML.T0011 User Execution
AML.T0048.003 User Harm
AML.T0049 Exploit Public-Facing Application
AML.T0052 Phishing

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2
NIST AI RMF: MS-2.5
OWASP LLM Top 10: LLM05

What are the technical details?

Original Advisory

## Impact An authenticated user with permission to create or modify workflows could exploit a flaw in the Form Trigger node's CSS sanitization to store a cross-site scripting (XSS) payload. The injected script executes persistently for every visitor of the published form, enabling form submission hijacking and phishing. The existing Content Security Policy prevents direct n8n session cookie theft but does not prevent script execution or form action manipulation. ## Patches The issue has been fixed in n8n versions 2.12.0, 2.11.2, and 1.123.25. Users should upgrade to one of these versions or later to remediate the vulnerability. ## Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Limit workflow creation and editing permissions to fully trusted users only. - Disable the Form Trigger node by adding `n8n-nodes-base.formTrigger` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Exploitation Scenario

A threat actor gains n8n credentials for a standard workflow creator account — via phishing, credential stuffing, or insider access. They modify an existing published workflow's Form Trigger node, embedding a JavaScript payload disguised as a CSS style value that bypasses the flawed sanitization. The form URL is shared broadly (via email, Slack, or embedded in a customer portal). Every user who opens the form executes the attacker's script: it silently clones the form submission and POSTs credentials or PII to an attacker-controlled endpoint before forwarding the user to the legitimate destination. In AI agent contexts, this intercepts data intended for downstream LLM processing — poisoning the agent's inputs while harvesting user data in parallel.

Weaknesses (CWE)

CWE-79 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'): The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

  • [Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.
  • [Implementation, Architecture and Design] Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies. For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters. Parts of the same output document may require different encodings, which will vary depending on whether the output is in the: etc. Note that HTML Entity Encoding is only appropriate for the HTML body. Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types of encoding and escaping that are needed. HTML body Element attributes (such as src="XYZ") URIs JavaScript sections Casca

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Timeline

Published
March 27, 2026
Last Modified
March 27, 2026
First Seen
March 27, 2026

Related Vulnerabilities