Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-54302

CVE-2026-54302: n8n Workflow Automation XSS Vulnerability

CVE-2026-54302 is a cross-site scripting flaw in n8n workflow automation that allows authenticated users to inject malicious JavaScript via Chat Trigger. This post covers technical details, affected versions, and mitigation.

Published:

CVE-2026-54302 Overview

CVE-2026-54302 is a stored cross-site scripting (XSS) vulnerability in n8n, an open source workflow automation platform. The flaw resides in the Chat Trigger node, where an authenticated user with workflow edit permissions can set a malicious webhookId. That value is rendered into the Chat Trigger's generated page without proper sanitization. When another logged-in user opens the chat URL, the injected JavaScript executes in the n8n origin under the victim's session privileges. The issue is tracked as [CWE-79] and is fixed in n8n versions 1.123.55, 2.25.7, and 2.26.2.

Critical Impact

An attacker with workflow edit access can execute arbitrary JavaScript in any logged-in user's browser session, enabling account takeover and unauthorized workflow manipulation.

Affected Products

  • n8n versions prior to 1.123.55
  • n8n versions prior to 2.25.7
  • n8n versions prior to 2.26.2

Discovery Timeline

  • 2026-06-23 - CVE-2026-54302 published to NVD
  • 2026-06-23 - Last updated in NVD database

Technical Details for CVE-2026-54302

Vulnerability Analysis

The vulnerability is a stored XSS in the n8n Chat Trigger feature. n8n exposes a chat interface through a generated page tied to a workflow's webhookId. The webhookId field is configurable by any authenticated user with workflow edit access. The application renders this identifier into the generated chat page without applying contextual output encoding. An attacker can therefore set the webhookId to a payload containing JavaScript that runs in the browser when the page loads.

Because the script executes in the n8n origin, it inherits the victim's session cookies, CSRF tokens, and API access. An attacker can pivot from low-privilege workflow editor to full account compromise of any user who visits the malicious chat URL. This includes administrators, which exposes credentials stored in n8n, connected service tokens, and any data flowing through workflows.

Root Cause

The root cause is improper neutralization of input during web page generation [CWE-79]. The Chat Trigger node treats the webhookId as trusted data and inserts it directly into HTML output. n8n's fix introduces validation and encoding so that user-supplied identifiers cannot break out of their rendered context.

Attack Vector

Exploitation requires an authenticated account with workflow edit privileges and a victim who is logged into n8n. The attacker creates or modifies a Chat Trigger workflow and assigns a webhookId containing a JavaScript payload. The attacker then shares or socially engineers a target into visiting the chat URL. Refer to the GitHub Security Advisory GHSA-42h7-m79w-wvg5 for further technical context. No verified proof-of-concept code is publicly available at this time.

Detection Methods for CVE-2026-54302

Indicators of Compromise

  • Chat Trigger workflows with unusual or script-like characters in the webhookId field, including angle brackets, javascript: strings, or HTML entities.
  • Audit log entries showing modifications to Chat Trigger nodes by accounts that do not normally administer chat workflows.
  • Outbound browser requests from logged-in n8n users to unfamiliar domains immediately after visiting a chat URL.

Detection Strategies

  • Query workflow definitions in the n8n database for Chat Trigger nodes and inspect each webhookId value against a strict alphanumeric or UUID pattern.
  • Monitor reverse proxy and web server logs for chat URLs containing non-standard characters in the path segment that corresponds to the webhook identifier.
  • Review browser console errors and Content Security Policy (CSP) violation reports originating from the n8n origin.

Monitoring Recommendations

  • Enable and centralize n8n audit logs covering workflow create, update, and share events for correlation with user session activity.
  • Alert on privilege-sensitive actions, such as credential creation or user role changes, that occur shortly after a user opens a Chat Trigger page.
  • Track version drift across n8n deployments to confirm all instances are on 1.123.55, 2.25.7, or 2.26.2 or later.

How to Mitigate CVE-2026-54302

Immediate Actions Required

  • Upgrade n8n to 1.123.55, 2.25.7, or 2.26.2 depending on your release branch.
  • Audit existing Chat Trigger workflows and remove or normalize any webhookId values that contain non-standard characters.
  • Restrict workflow edit permissions to trusted users and review the membership of roles that grant this capability.

Patch Information

The maintainers released fixes in n8n 1.123.55, 2.25.7, and 2.26.2. The patch enforces validation and proper output encoding for the webhookId value used by the Chat Trigger's generated page. See the GitHub Security Advisory GHSA-42h7-m79w-wvg5 for the official fix details.

Workarounds

  • Disable Chat Trigger workflows until the upgrade is applied if patching cannot be performed immediately.
  • Apply a strict Content Security Policy on the n8n origin to block inline scripts and untrusted script sources.
  • Instruct users not to open Chat Trigger URLs from workflows they did not create or that were modified by other editors.
bash
# Example: verify the installed n8n version after upgrade
n8n --version

# Example CSP header to add at the reverse proxy in front of n8n
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self';" always;

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.