A weakness in the configuration of OAuth credentials opens up a stored XSS vulnerability in the n8n automation platform, researchers at Imperva have discovered.
Setting up OAuth allows n8n to connect to services such as Google Workspace, Microsoft 365, Slack, or GitHub without having to expose service passwords.
This is core to automation platforms like n8n because it allows organizations to reduce multiple manual tasks to single automated workflows. A customer might submit a web form, which n8n passes via API calls or OAuth credentials to a CRM system and central database, before sending messages to external Slack messaging or project management tools.
This relies on OAuth tokens or API keys for authentication and is set up via a URL pointing at each external service. Unfortunately, Imperva found, n8n does this without properly sanitizing the authorization URL.
An attacker could pull off an XSS attack by replacing a valid URL with a malicious JavaScript payload which would be clicked on by other users using the same credential in their accounts.
“This is a stored XSS, meaning the payload is saved permanently in the database and served to any user who interacts with the credential,” said Imperva.
How serious is this?
An important caveat: for any of this to be possible, an attacker would need access to the victim’s n8n system. From that point of view, exploiting this vulnerability would be the second stage of an attack, not the first.
Equally, an attacker able to pull off the exploit would be able to exfiltrate multiple credentials across employees and eventually compromise the entire n8n system. However, in Imperva’s view, the bigger issue is really the extent to which organizations are pooling risk in automation platforms.
“Workflow automation tools like n8n are becoming the backbone of modern IT infrastructure. While they offer immense power and speed, they also centralize trust,” Imperva said.
“A vulnerability in this layer can often be more damaging than a vulnerability in a single isolated application. We recommend organizations treat their automation platforms as Tier-0 assets, enforce strict access controls, and ensure they are patched promptly.”
In short, automation platforms save huge amounts of time but centralize access to multiple other systems. That makes them hugely attractive to attackers.
The n8n platform releases new versions on a regular basis which means that vulnerabilities are often ‘silently’ patched before users hear about them. The same applies to the latest flaw discovered which was fixed in the v2.6.4 update released on February 6.
In February, researchers uncovered a series of n8n vulnerabilities that generated six separate CVEs. A few weeks before that, the platform was hit by a critical-rated flaw that was patched along with four other CVEs. The platform has also been targeted by malicious npm packages posing as n8n integrations, a sign that its growing popularity is bringing it to the attention of threat actors.
No Responses