CVE-2026-27578 is a cross-site scripting (XSS) vulnerability classified under CWE-80 and CWE-79 affecting the n8n workflow automation platform. The flaw exists in versions prior to 2.10.1, 2.9.3, and 1.123.22, where authenticated users with permissions to create or modify workflows can inject arbitrary JavaScript code into pages rendered by the n8n web application. This injection can occur through multiple nodes such as the Form Trigger node, Chat Trigger node, Send & Wait node, Webhook node, and Chat node. When other users visit these affected pages, the injected scripts execute in their browsers, potentially allowing attackers to hijack sessions, steal authentication tokens, or perform actions on behalf of the victim, leading to account takeover. The vulnerability arises from improper neutralization of script-related HTML tags, allowing malicious payloads to bypass input sanitization. Exploitation requires the attacker to have at least limited privileges (workflow creation/modification) and some user interaction (visiting the affected page). The vulnerability has a CVSS 4.0 base score of 8.5, indicating high severity due to network attack vector, low attack complexity, no privileges required beyond workflow editing, and high impact on confidentiality and integrity. The issue has been remediated in n8n versions 2.10.1 and 1.123.21. Until upgrades can be applied, administrators are advised to restrict workflow editing permissions to fully trusted users and disable the Webhook node via environment variable configuration. However, these mitigations do not fully remove the risk, emphasizing the need for prompt patching.

The impact of CVE-2026-27578 is significant for organizations using vulnerable versions of n8n. Successful exploitation allows attackers to execute arbitrary scripts in the context of other users’ browsers, leading to session hijacking and account takeover. This compromises confidentiality by exposing sensitive session tokens and potentially other data accessible through the web interface. Integrity is impacted as attackers can perform unauthorized actions on behalf of victims, such as modifying workflows or accessing restricted data. Availability is less directly affected but could be impacted if attackers disrupt workflows or perform malicious actions. Since n8n is often used to automate critical business processes, exploitation could lead to disruption of automated workflows, data leakage, and lateral movement within an organization’s infrastructure. The requirement for authenticated access limits exposure but does not eliminate risk, especially in environments with many users or delegated permissions. Organizations relying on n8n for automation in sectors like finance, healthcare, and technology could face operational and reputational damage if exploited.

To mitigate CVE-2026-27578, organizations should immediately upgrade n8n to versions 2.10.1, 2.9.3, or 1.123.22 or later where the vulnerability is patched. Until upgrades are feasible, restrict workflow creation and modification permissions strictly to fully trusted and vetted users to reduce the risk of malicious script injection. Additionally, disable the Webhook node by adding `n8n-nodes-base.webhook` to the `NODES_EXCLUDE` environment variable to limit attack vectors, though this is only a partial mitigation. Implement strict monitoring and auditing of workflow changes to detect suspicious activity. Employ Content Security Policy (CSP) headers to reduce the impact of injected scripts. Educate users to avoid clicking on suspicious links or workflows. Regularly review user permissions and remove unnecessary workflow editing rights. Finally, maintain up-to-date backups of workflows and configurations to enable recovery in case of compromise.