Impact
n8n’s Chat Trigger node allows users to enter custom CSS. A misconfiguration of the sanitize‑html library enables malicious JavaScript to be stored in that field, which is subsequently rendered on the public chat page. The stored XSS can run in the browsers of any user who visits the chat page, potentially leading to session hijacking, data theft or defacement. The CVSS score of 5.1 indicates a moderate severity warning that the flaw has exploitable interaction with the application’s public interface.
Affected Systems
The vulnerability exists in all n8n releases prior to version 1.123.27, between 2.0.0 and 2.13.2 inclusive, and the 2.14.0 release. The flaw was fixed in the 1.123.27, 2.13.3, and 2.14.1 fixes. Users running any of the affected releases should verify their installed version against these thresholds.
Risk and Exploitability
The flaw can be leveraged by an authenticated user who has permission to create or modify workflows; from that point the attacker can inject and store JavaScript that will execute for all visitors of the public chat page. The EPSS value is not available, and the issue is not listed in the CISA KEV catalog, suggesting that known external exploitation is not reported yet. Nonetheless, the moderate CVSS score and the fact that the attack requires no additional network access make this vulnerability a low‑to‑moderate risk for environments with open chat pages.
OpenCVE Enrichment