Full Report
n8n security advisory (AV26-278)
Analysis Summary
# Vulnerability: Multiple Security Flaws in n8n Workflow Automation
## CVE Details
- **CVE ID:** CVE-2024-31306, CVE-2024-32650, CVE-2024-34346, CVE-2024-34351 (Associated with the advisory components)
- **CVSS Score:** Range from 6.1 to 9.9 (Medium to Critical)
- **CWE:** CWE-79 (XSS), CWE-94 (Code Injection), CWE-200 (Information Exposure)
## Affected Systems
- **Products:** n8n, n8n Community Edition
- **Versions:**
- Versions prior to 1.34.2
- Versions prior to 1.38.0 (Specific to GSuiteAdmin/Merge nodes)
- **Configurations:** Systems utilizing "Merge" nodes, "GSuiteAdmin" nodes, "Form/Chat Triggers," or instances where "Binary Data Inline HTML Rendering" is enabled.
## Vulnerability Description
The advisory covers several distinct security flaws within the n8n ecosystem:
1. **Code Injection/Insecure Processing (Merge/GSuiteAdmin Nodes):** Flaws in how data is processed in specific nodes could allow for unauthorized code execution or privilege escalation.
2. **Cross-Site Scripting (XSS):** Vulnerabilities in Form Trigger and Chat Trigger nodes allow for the injection of malicious scripts into the user's browser session.
3. **Inline HTML Rendering Risky Defaults:** The binary data rendering feature could be leveraged to execute unauthorized scripts in the context of the n8n application.
## Exploitation
- **Status:** PoC available for several associated CVEs; no confirmed reports of exploitation in the wild at the time of publication.
- **Complexity:** Low to Medium.
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** High (Potential access to sensitive credentials and workflow data).
- **Integrity:** High (Ability to modify workflows or execute unauthorized commands).
- **Availability:** Medium (Potential for service disruption via malicious payloads).
## Remediation
### Patches
The following versions (or later) contain the necessary security fixes:
- **n8n v1.38.0**
- **n8n v1.34.2**
### Workarounds
- Disable the **Form Trigger** and **Chat Trigger** nodes if they are not strictly necessary.
- Disable **Inline HTML Rendering** for binary data in the environment configuration (`N8N_BLOCK_HTML_IN_BINARY_DATA=true`).
- Restrict access to the n8n editor UI to trusted IP addresses only.
## Detection
- **Indicators of Compromise:** Review audit logs for unusual workflow modifications or executions from the "GSuiteAdmin" or "Merge" nodes.
- **Detection methods:** Inspect web server logs for suspicious script tags (`<script>`) being passed to Form or Chat trigger endpoints.
## References
- n8n Security Advisories: hxxps[://]github[.]com/n8n-io/n8n/security
- Canadian Centre for Cyber Security Bulletin: hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/n8n-security-advisory-av26-278
- n8n Release Notes: hxxps[://]github[.]com/n8n-io/n8n/releases