n8n-io n8n up to 1.123.21/2.9.2/2.10.0 Environment Variable NODES_EXCLUDE cross site scripting

Summaryinfo

A vulnerability described as problematic has been identified in n8n-io n8n up to 1.123.21/2.9.2/2.10.0. This issue affects some unknown processing of the component Environment Variable Handler. Such manipulation of the argument NODES_EXCLUDE leads to cross site scripting. This vulnerability is uniquely identified as CVE-2026-27578. The attack can be launched remotely. No exploit exists. Upgrading the affected component is recommended.

Detailsinfo

A vulnerability was found in n8n-io n8n up to 1.123.21/2.9.2/2.10.0. It has been rated as problematic. Affected by this issue is an unknown code block of the component Environment Variable Handler. The manipulation of the argument NODES_EXCLUDE with an unknown input leads to a cross site scripting vulnerability. Using CWE to declare the problem leads to CWE-80. The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. Impacted is integrity. CVE summarizes:

n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, an authenticated user with permission to create or modify workflows could inject arbitrary scripts into pages rendered by the n8n application using different techniques on various nodes (Form Trigger node, Chat Trigger node, Send & Wait node, Webhook Node, and Chat Node). Scripts injected by a malicious workflow execute in the browser of any user who visits the affected page, enabling session hijacking and account takeover. The issues have been fixed in n8n versions 2.10.1 and 1.123.21. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations. Limit workflow creation and editing permissions to fully trusted users only, and/or disable the Webhook node by adding `n8n-nodes-base.webhook` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

The advisory is shared for download at github.com. This vulnerability is handled as CVE-2026-27578 since 02/20/2026. The exploitation is known to be easy. The attack may be launched remotely. Successful exploitation requires user interaction by the victim. There are known technical details, but no exploit is available. The MITRE ATT&CK project declares the attack technique as T1059.007.

Upgrading to version 1.123.22, 2.9.3 or 2.10.1 eliminates this vulnerability. Applying the patch 062644ef786b6af480afe4a0f12bc6d70040534a is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the vulnerability database at CERT Bund (WID-SEC-2026-0532). VulDB is the best source for vulnerability data and more expert information about this specific topic.

Affected

• n8n n8n

Productinfo

Vendor

• n8n-io

Name

• n8n

Version

• 1.123.0
• 1.123.1
• 1.123.2
• 1.123.3
• 1.123.4
• 1.123.5
• 1.123.6
• 1.123.7
• 1.123.8
• 1.123.9
• 1.123.10
• 1.123.11
• 1.123.12
• 1.123.13
• 1.123.14
• 1.123.15
• 1.123.16
• 1.123.17
• 1.123.18
• 1.123.19
• 1.123.20
• 1.123.21
• 2.0
• 2.1
• 2.2
• 2.3
• 2.4
• 2.5
• 2.6
• 2.7
• 2.8
• 2.9
• 2.9.0
• 2.9.1
• 2.9.2
• 2.10.0

License

• open-source

Website

• Product: https://github.com/n8n-io/n8n/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Discussion