CVE-2026-27578

Name of the Vulnerable Software and Affected Versions n8n versions prior to 2.10.1 n8n versions prior to 2.9.3 n8n versions prior to 1.123.22

Description n8n is a workflow automation platform susceptible to arbitrary script injection. An authenticated user with permission to create or modify workflows could inject malicious scripts into pages rendered by the n8n application through various nodes, including the Form Trigger node, Chat Trigger node, Send & Wait node, Webhook Node, and Chat Node. These injected scripts execute in the browser of any user visiting the affected page, potentially leading to session hijacking and account takeover.

Recommendations Upgrade to n8n version 2.10.1 or later. Upgrade to n8n version 2.9.3 or later. Upgrade to n8n version 1.123.22 or later. If upgrading is not immediately possible, limit workflow creation and editing permissions to fully trusted users only. If upgrading is not immediately possible, disable the Webhook node by adding n8n-nodes-base.webhook to the NODES EXCLUDE environment variable.