Description
n8n is an open source workflow automation platform. Prior to 1.123.55, 2.25.7, and 2.26.2, an authenticated user with workflow edit access could inject arbitrary JavaScript into the Chat Trigger's generated page by setting a malicious webhookId. When a logged-in user visited the chat URL, the injected code executed in the n8n origin with that user's session privileges. This vulnerability is fixed in 1.123.55, 2.25.7, and 2.26.2.
Published: 2026-06-23
Score: 7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

n8n is an open‑source workflow automation platform. Prior to versions 1.123.55, 2.25.7, and 2.26.2, an authenticated user with workflow edit access could embed arbitrary JavaScript into the Chat Trigger's generated page by setting a malicious webhookId. When another logged‑in user visits the chat URL, the injected script executes in the n8n origin using the victim’s session privileges. This stored XSS flaw (CWE‑79) allows the attacker to run code with the victim’s rights and potentially exfiltrate data or perform actions on their behalf.

Affected Systems

The issue affects the n8n product from n8n‑io. Any installation using a version earlier than 1.123.55, 2.25.7, or 2.26.2 is vulnerable. These versions allow a workflow editor to supply a malicious webhookId that is persisted and later rendered to a logged‑in user.

Risk and Exploitability

The flaw carries a CVSS score of 7, indicating a high risk. While the EPSS score is not available, the vulnerability is not currently listed in the CISA KEV catalog. Exploitation requires an authenticated user with workflow edit rights; the attacker must alter the webhookId field, which is stored in the chat page. Successful exploitation occurs when another logged‑in user visits the chat URL, at which point the malicious script runs with the victim’s browser context and session privileges. Because the attack vector is limited to users with adequate permissions, an organization should immediately patch or restrict those privileges.

Generated by OpenCVE AI on June 24, 2026 at 07:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to n8n 1.123.55, 2.25.7, or 2.26.2, depending on your deployment. This patch removes the stored XSS flaw and enforces stricter workflow edit permissions for trusted users.
  • Restrict or remove the Chat Trigger node from workflows that are not essential, or lock its usage to trusted administrators, to reduce exposure.
  • Add server‑side validation or output encoding to the webhookId field to sanitize inputs against JavaScript injection, providing a defense‑in‑depth measure.

Generated by OpenCVE AI on June 24, 2026 at 07:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-42h7-m79w-wvg5 n8n: Stored XSS in Chat Trigger Node
History

Tue, 23 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description n8n is an open source workflow automation platform. Prior to 1.123.55, 2.25.7, and 2.26.2, an authenticated user with workflow edit access could inject arbitrary JavaScript into the Chat Trigger's generated page by setting a malicious webhookId. When a logged-in user visited the chat URL, the injected code executed in the n8n origin with that user's session privileges. This vulnerability is fixed in 1.123.55, 2.25.7, and 2.26.2.
Title n8n: Stored XSS in Chat Trigger Node
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T17:34:23.628Z

Reserved: 2026-06-12T17:46:37.294Z

Link: CVE-2026-54302

cve-icon Vulnrichment

Updated: 2026-06-23T17:34:20.899Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T07:45:04Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')