Overview of the Incident
On February 6, n8n released version 2.6.4 to address a stored cross-site scripting (XSS) vulnerability in its handling of OAuth credentials. Security researchers at Imperva found that n8n did not properly sanitize OAuth tokens and secrets before storing them in the database. This oversight allowed attackers to inject malicious JavaScript, which could execute when any user viewed the affected credentials.
This vulnerability highlights the risk at the intersection of OAuth authentication and automation platform trust boundaries. As n8n integrates with various services, a successful exploit could impact your entire connected infrastructure.
Incident Timeline
Discovery: Imperva researchers identified the vulnerability during security testing of n8n's OAuth implementation.
February 6: n8n released version 2.6.4 with a fix. However, the platform did not provide a detailed security advisory, leaving the disclosure timeline unclear.
Post-Patch: The vulnerability adds to a trend of increasing threat actor interest in n8n, evidenced by malicious npm packages posing as legitimate integrations, recognizing its value as a centralized access point.
Failed or Missing Controls
Input Validation: n8n accepted OAuth responses without sanitizing HTML special characters before database storage. This violates the principle that all external input must be treated as untrusted.
Output Encoding: When displaying stored credentials, n8n failed to apply HTML entity encoding, allowing script execution.
Content Security Policy (CSP): A restrictive CSP could have blocked inline script execution, providing an additional layer of defense.
Privileged Access Controls: Treating n8n as a standard SaaS tool rather than a privileged access management boundary missed opportunities to limit exposure, such as network segmentation and MFA enforcement.
Relevant Standards
OWASP ASVS v4.0.3 Requirement 5.3.3 mandates contextual output encoding for all untrusted data before rendering in HTML contexts. n8n's failure to encode OAuth credentials violates this requirement.
OWASP Top 10 2021: A03 - Injection advises using safe APIs and template engines that auto-escape by default to prevent XSS.
PCI DSS v4.0.1 Requirement 6.2.4 requires protection from known attacks, including XSS, for web applications. Organizations using n8n for payment processing need to update to version 2.6.4 or later to comply.
NIST 800-53 Rev 5 Control SI-10 requires validation of information inputs early in the processing chain. n8n's handling of OAuth credentials failed both syntactic and semantic validation.
Actionable Steps for Your Team
Treat Automation Platforms as Tier-0 Infrastructure: If your n8n instance connects to multiple services, it holds significant privileges. Implement strict controls:
- Require hardware MFA for access
- Use network segmentation with explicit allow-lists
- Enable session recording and anomaly detection
- Limit credential creation and workflow modification to a few administrators
Audit OAuth Implementations: Review how your applications handle OAuth tokens and secrets:
- Log receipt of credentials (type, issuer, timestamp)
- Validate format and length before storage
- Sanitize for injection patterns
- Use application-level encryption
- Apply output encoding in UI contexts
- Set CSP headers to 'self' without unsafe-inline
Map the Automation Platform's Blast Radius: Document all services accessible by your automation platform. Determine the impact of a potential compromise and adjust your segmentation strategy accordingly.
Implement Defense-in-Depth for XSS: Beyond input sanitization, ensure:
- Input validation at write-time
- Output encoding at read-time
- CSP headers to restrict scripts
- Regular automated scanning for XSS
Verify OAuth Scope Minimization: Grant only necessary OAuth scopes for your workflows. Review configurations quarterly and revoke unused scopes.
Establish a Patch SLA for Centralized Tools: Ensure a 72-hour SLA for security updates to platforms like n8n. For cloud-hosted versions, verify your provider's patching timeline.
The n8n vulnerability underscores the need to treat automation platforms as critical components in your security architecture. Your incident response plan should account for potential compromises of these platforms due to their extensive access capabilities.
