{"data":{"id":"ae1ea234-50b8-4cbd-b667-8439633d08f8","title":"GHSA-w673-8fjw-457c: n8n: Authenticated XSS and Open Redirect via Form Node","summary":"n8n (a workflow automation tool) has a security flaw where authenticated users can inject malicious code or redirect users through unsanitized form fields, potentially enabling phishing attacks. The vulnerability affects the Form Node feature and requires authentication to exploit.","solution":"Upgrade to n8n version 1.123.24, 2.10.4, or 2.12.0 or later. If immediate upgrade is not possible, temporary workarounds include: (1) restrict workflow creation and editing permissions to trusted users only, (2) disable the Form node by adding 'n8n-nodes-base.form' to the NODES_EXCLUDE environment variable, or (3) disable the Form Trigger node by adding 'n8n-nodes-base.formTrigger' to the NODES_EXCLUDE environment variable. Note that workarounds do not fully eliminate the risk and are only short-term measures.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-w673-8fjw-457c","publishedAt":"2026-03-27T18:06:28.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["jailbreak"],"issueType":"vulnerability","affectedPackages":["n8n@< 1.123.24 (fixed: 1.123.24)","n8n@>= 2.0.0-rc.0, < 2.10.4 (fixed: 2.10.4)","n8n@>= 2.11.0, < 2.12.0 (fixed: 2.12.0)"],"affectedVendors":[],"affectedVendorsRaw":["n8n"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":true,"disclosureDate":"2026-03-27T18:06:28.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["integrity","safety"],"aiComponentTargeted":"agent","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}