CVE-2026-27578 is an improper neutralization of script-related HTML tags vulnerability (CWE-80, CWE-79) in the n8n workflow automation platform. It affects versions prior to 2.10.1, 2.9.3, and 1.123.22. The flaw allows an authenticated user with permissions to create or modify workflows to inject malicious JavaScript into pages rendered by the n8n web application. Injection points include multiple nodes such as Form Trigger, Chat Trigger, Send & Wait, Webhook, and Chat nodes. When other users visit these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, credential theft, and account takeover. The vulnerability arises from insufficient sanitization or encoding of user-supplied input that is reflected in the HTML output. Exploitation requires authenticated access and some user interaction (visiting the affected page). The CVSS 4.0 base score is 8.5 (high), reflecting network attack vector, low attack complexity, no privileges required beyond workflow editing, partial user interaction, and high impact on confidentiality and integrity. The vendor has released patches in versions 2.10.1 and 1.123.21 that properly neutralize script injection vectors. Until upgrading, administrators can limit workflow creation/editing to trusted users and disable the Webhook node via environment variable configuration, though these are partial mitigations only.

This vulnerability poses a significant risk to organizations using n8n for workflow automation, especially those with multiple users having workflow editing permissions. Successful exploitation can lead to session hijacking and account takeover, compromising user credentials and potentially allowing attackers to manipulate workflows or access sensitive data. This can disrupt business processes automated by n8n, cause data breaches, and undermine trust in the platform. Since the injected scripts execute in the context of the victim's browser, attackers can perform actions on behalf of users, escalate privileges, or pivot to other internal systems. The impact is heightened in environments where n8n is exposed to multiple users or integrated with critical business applications. The requirement for authenticated access limits exposure but does not eliminate risk, especially in large organizations with many users or insufficient access controls.

1. Upgrade n8n to version 2.10.1, 2.9.3, 1.123.22, or later immediately to apply the official patches that fix the XSS vulnerability. 2. Until upgrading is possible, restrict workflow creation and modification permissions strictly to fully trusted and trained users to reduce the risk of malicious script injection. 3. Disable the Webhook node by adding 'n8n-nodes-base.webhook' to the NODES_EXCLUDE environment variable to reduce attack surface, especially if Webhook nodes are not essential. 4. Conduct regular audits of existing workflows to detect and remove any potentially malicious or suspicious scripts. 5. Implement Content Security Policy (CSP) headers in the web application to limit the execution of unauthorized scripts. 6. Educate users about the risks of visiting untrusted workflows and encourage reporting of suspicious behavior. 7. Monitor logs for unusual workflow creation or modification activities that could indicate exploitation attempts. 8. Consider network segmentation and access controls to limit exposure of n8n instances to only necessary users and systems.