CVE-2025-49592 is an Open Redirect vulnerability (CWE-601) found in the n8n workflow automation platform versions prior to 1.98.0. This vulnerability exists in the login flow, specifically affecting the /signin endpoint. Authenticated users can be redirected to attacker-controlled, untrusted domains by manipulating the redirect query parameter in the login URL. Because the redirect URL is not properly validated, an attacker can craft malicious URLs that appear to lead to legitimate n8n login pages but redirect users to lookalike or malicious domains after authentication. This can facilitate phishing attacks where users are tricked into entering credentials or two-factor authentication (2FA) tokens on fake sites that visually mimic the legitimate n8n user interface. The vulnerability does not allow direct compromise of the n8n system itself but poses a significant risk to user credentials and organizational security posture through social engineering. The issue has been addressed in version 1.98.0 by implementing strict origin validation, allowing only same-origin or relative path redirects post-login, thus preventing redirection to external domains. The CVSS score is 4.6 (medium severity), reflecting the limited impact on confidentiality and integrity, the requirement for user interaction, and the need for authentication to exploit the vulnerability. No known exploits are currently reported in the wild. Organizations hosting n8n and exposing the /signin endpoint should prioritize upgrading to version 1.98.0 or later to mitigate this risk.

For European organizations using n8n for workflow automation, this vulnerability could lead to targeted phishing attacks leveraging the trusted n8n brand and user interface. Attackers could exploit the open redirect to redirect authenticated users to malicious sites that harvest credentials or 2FA tokens, potentially enabling unauthorized access to organizational resources. This risk is particularly acute for organizations with sensitive workflows automated in n8n, as compromised credentials could lead to broader lateral movement or data exfiltration. Additionally, the reputational damage from successful phishing campaigns exploiting this vulnerability could erode trust among clients and partners. Since exploitation requires authenticated users and user interaction, the impact is somewhat limited but still significant in environments where n8n is widely used and users may be less security-aware. The vulnerability does not directly compromise system availability or integrity but indirectly threatens confidentiality and organizational security through credential theft.

The primary mitigation is to upgrade all n8n instances to version 1.98.0 or later, where strict origin validation for redirect URLs has been implemented. Beyond upgrading, organizations should: 1) Restrict access to the /signin endpoint via network controls or VPNs to reduce exposure to external attackers. 2) Implement strong user awareness training focused on recognizing phishing attempts, especially those involving URL redirection and lookalike domains. 3) Enforce multi-factor authentication (MFA) across all user accounts to reduce the impact of credential theft. 4) Monitor login and redirect logs for unusual redirect URLs or patterns indicative of exploitation attempts. 5) Use web application firewalls (WAFs) to detect and block suspicious redirect parameters. 6) Consider implementing Content Security Policy (CSP) headers to reduce the risk of UI spoofing on attacker-controlled domains. These measures, combined with patching, will significantly reduce the risk posed by this vulnerability.