GHSA-w673-8fjw-457c: n8n: Authenticated XSS and Open Redirect via Form Node
Summary
n8n (a workflow automation tool) has a security flaw where authenticated users can inject malicious code or redirect users through unsanitized form fields, potentially enabling phishing attacks. The vulnerability affects the Form Node feature and requires authentication to exploit.
Solution / Mitigation
Upgrade to n8n version 1.123.24, 2.10.4, or 2.12.0 or later. If immediate upgrade is not possible, temporary workarounds include: (1) restrict workflow creation and editing permissions to trusted users only, (2) disable the Form node by adding 'n8n-nodes-base.form' to the NODES_EXCLUDE environment variable, or (3) disable the Form Trigger node by adding 'n8n-nodes-base.formTrigger' to the NODES_EXCLUDE environment variable. Note that workarounds do not fully eliminate the risk and are only short-term measures.
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-w673-8fjw-457c
First tracked: March 28, 2026 at 02:00 AM
Classified by LLM (prompt v3) · confidence: 85%