n8n Open Redirect Vulnerability in Login Flow

A moderate open redirect vulnerability has been identified in n8n, a workflow automation platform, affecting versions prior to 1.98.0. This vulnerability allows authenticated users to be redirected to untrusted, attacker-controlled domains after logging in. By crafting malicious URLs with a misleading redirect query parameter, attackers can exploit this issue. The vulnerability is present in any n8n instance that exposes the '/signin' endpoint to users.

Impact

Exploitation of this vulnerability could lead to phishing attacks, credential or two-factor authentication theft, and reputational damage due to the visual similarity between the attacker-controlled domains and trusted ones.

Reproduction

To reproduce this vulnerability, log into an affected n8n instance and navigate to the '/signin' endpoint. After logging in, the crafted URL with a misleading redirect query parameter will redirect the user to the attacker-controlled domain.

Remediation

Users are advised to upgrade to n8n version 1.98.0 or later, where this vulnerability has been patched by introducing strict origin validation for redirect URLs, allowing only same-origin or relative paths after login.