Description
n8n is an open source workflow automation platform. Prior to 2.24.0, an endpoint in the Meta and Microsoft Teams trigger nodes reflects a query parameter into the HTTP response without sanitization or Content-Security-Policy headers, enabling reflected XSS in the n8n origin when a logged-in user visits a crafted URL. This vulnerability is fixed in 2.24.0.
Published: 2026-06-23
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

n8n is an open source workflow automation platform. Prior to 2.24.0, an endpoint in the Meta and Microsoft Teams trigger nodes reflects a query parameter into the HTTP response without sanitization or Content‑Security‑Policy headers, enabling reflected XSS in the n8n origin when a logged‑in user visits a crafted URL. This is a CWE‑79 reflected cross‑site scripting vulnerability, fixed in 2.24.0.

Affected Systems

The open‑source workflow automation platform n8n from n8n‑io is affected. All releases prior to version 2.24.0 contain the flaw; version 2.24.0 and later include the fix.

Risk and Exploitability

The CVSS score is 6.8, indicating moderate severity. The likely attack scenario involves an authenticated user being directed to a crafted URL that triggers the vulnerable endpoint; this inference comes from the fact that the endpoint reflects a query parameter into the HTTP response only for logged‑in users. Because the endpoint requires authentication and exploitation relies on the victim clicking a malicious link, this is a social‑engineering attack. The EPSS score is not available, so precise exploitation probability cannot be determined, and the vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on June 24, 2026 at 11:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade n8n to version 2.24.0 or later to apply the vendor fix.
  • Temporarily disable or restrict access to the affected Meta and Microsoft Teams trigger endpoints until the upgrade is completed.
  • Implement a Content‑Security‑Policy for the n8n web application to mitigate future reflected injection attacks.

Generated by OpenCVE AI on June 24, 2026 at 11:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h86q-fx34-gfjr n8n: Reflected XSS via Facebook, WhatsApp, and Microsoft Teams Trigger Webhook Verification Endpoints
History

Wed, 24 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared N8n
N8n n8n
Vendors & Products N8n
N8n n8n

Wed, 24 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description n8n is an open source workflow automation platform. Prior to 2.24.0, an endpoint in the Meta and Microsoft Teams trigger nodes reflects a query parameter into the HTTP response without sanitization or Content-Security-Policy headers, enabling reflected XSS in the n8n origin when a logged-in user visits a crafted URL. This vulnerability is fixed in 2.24.0.
Title n8n: Reflected XSS via Facebook, WhatsApp, and Microsoft Teams Trigger Webhook Verification Endpoints
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T13:52:23.360Z

Reserved: 2026-06-12T17:46:37.294Z

Link: CVE-2026-54303

cve-icon Vulnrichment

Updated: 2026-06-24T13:52:19.182Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:00:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')