n8n OAuth misconfig allows stored XSS, credential risk
⚠️ Researchers at Imperva disclosed a configuration weakness in the OAuth credential handling of n8n that fails to sanitize the authorization URL, enabling a stored XSS payload to be saved in the application database. An attacker with access to a victim's n8n instance can replace a legitimate URL with malicious JavaScript that executes when other users interact with the same credential. Because the payload is persistent, it can expose multiple OAuth credentials and enable broader system compromise. The flaw was fixed in n8n v2.6.4 on February 6.
