AI Threat Alert AI Threat Alert

CVE-2026-25051: n8n: XSS enables session hijacking

MEDIUM
Published February 4, 2026
CISO Take

If your organization uses n8n for AI agent orchestration or workflow automation, patch to version 1.123.2 immediately. A low-privileged user can craft a malicious workflow that hijacks admin sessions via XSS when those users interact with it — and n8n workflows routinely store API keys, database credentials, and LLM tokens. Session takeover here means full access to every credential embedded in your agent pipelines.

Risk Assessment

Effective risk is higher than CVSS 5.4 suggests in AI agent contexts. While the base score reflects low-privilege auth requirement and user interaction dependency, n8n's role as an AI agent orchestration hub amplifies blast radius significantly. An attacker who hijacks a workflow admin session inherits access to all stored credentials, can modify agent behavior silently, and can pivot to downstream services. Organizations running n8n for automated AI workflows with production API keys should treat this as HIGH operational risk regardless of the medium CVSS base score.

Affected Systems

Package Ecosystem Vulnerable Range Patched
n8n npm No patch
186.5K OpenSSF 6.0 16 dependents Pushed 6d ago 40% patched ~3d to patch Full package profile →

Do you use n8n? You're affected.

Severity & Risk

CVSS 3.1
5.4 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 2% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Moderate

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI Required
S Changed
C Low
I Low
A None

Recommended Action

6 steps

  1. PATCH

    Upgrade n8n to 1.123.2 immediately — this is the only complete fix.

  2. AUDIT

    Review n8n access logs for unexpected workflow modifications or unusual webhook activity, especially involving admin accounts.

  3. ISOLATE

    If patching is delayed, restrict n8n to internal network access only and enforce MFA on all accounts.

  4. ROTATE

    After patching, rotate all credentials stored in n8n workflows (API keys, DB passwords, tokens) as a precaution.

  5. DETECT

    Alert on workflow edits by non-admin users or on CSP violations in browser logs if you have endpoint visibility.

  6. INVENTORY

    Enumerate all credentials stored in n8n credential store and assess their blast radius if compromised.

CISA SSVC Assessment

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Auth Bypass Data Extraction Agent Framework API AML.T0011 AML.T0012 AML.T0049 AML.T0053 AML.T0081 AML.T0083

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.3 - Information security controls for AI systems A.6.2.6 - Security of AI system development and operations
NIST AI RMF
GOVERN 1.7 - Processes for ongoing identification of risks and vulnerabilities in AI systems MANAGE 2.2 - Mechanisms are in place to sustain the value of deployed AI systems MANAGE-2.2 - Mechanisms for managing identified risks
OWASP LLM Top 10
LLM05 - Improper Output Handling LLM06 - Sensitive Information Disclosure LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-25051?

If your organization uses n8n for AI agent orchestration or workflow automation, patch to version 1.123.2 immediately. A low-privileged user can craft a malicious workflow that hijacks admin sessions via XSS when those users interact with it — and n8n workflows routinely store API keys, database credentials, and LLM tokens. Session takeover here means full access to every credential embedded in your agent pipelines.

Is CVE-2026-25051 actively exploited?

No confirmed active exploitation of CVE-2026-25051 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-25051?

1. PATCH: Upgrade n8n to 1.123.2 immediately — this is the only complete fix. 2. AUDIT: Review n8n access logs for unexpected workflow modifications or unusual webhook activity, especially involving admin accounts. 3. ISOLATE: If patching is delayed, restrict n8n to internal network access only and enforce MFA on all accounts. 4. ROTATE: After patching, rotate all credentials stored in n8n workflows (API keys, DB passwords, tokens) as a precaution. 5. DETECT: Alert on workflow edits by non-admin users or on CSP violations in browser logs if you have endpoint visibility. 6. INVENTORY: Enumerate all credentials stored in n8n credential store and assess their blast radius if compromised.

What systems are affected by CVE-2026-25051?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, workflow automation pipelines, API integration layers, LLM tool-calling backends, multi-user AI development environments.

What is the CVSS score for CVE-2026-25051?

CVE-2026-25051 has a CVSS v3.1 base score of 5.4 (MEDIUM). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

n8n is an open source workflow automation platform. Prior to version 1.123.2, a Cross-Site Scripting (XSS) vulnerability has been identified in the handling of webhook responses and related HTTP endpoints. Under certain conditions, the Content Security Policy (CSP) sandbox protection intended to isolate HTML responses may not be applied correctly. An authenticated user with permission to create or modify workflows could abuse this to execute malicious scripts with same-origin privileges when other users interact with the crafted workflow. This could lead to session hijacking and account takeover. This issue has been patched in version 1.123.2.

Exploitation Scenario

An attacker with a low-privileged n8n account (e.g., a contractor or developer with workflow creation rights) creates a workflow that processes webhook responses containing a crafted XSS payload. The payload exploits the CSP sandbox bypass to execute JavaScript with same-origin privileges. The attacker then socially engineers or waits for a workspace admin to open or review the workflow. When the admin's browser executes the payload, their session token is exfiltrated to an attacker-controlled endpoint. With the admin session, the attacker silently exports all stored credentials from n8n, modifies existing AI agent workflows to route LLM queries through a logging proxy, and gains persistent access to every downstream system the AI agents are authorized to reach — including production databases, cloud APIs, and communication platforms.

Weaknesses (CWE)

CWE-79 Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References

Timeline

Published
February 4, 2026
Last Modified
February 5, 2026
First Seen
February 4, 2026

Related Vulnerabilities

CRITICAL CVE-2026-33663 10.0

n8n: member role steals plaintext HTTP credentials

Same package: n8n
CRITICAL CVE-2026-33660 10.0

TensorFlow: type confusion NPD in tensor conversion

Same package: n8n
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same package: n8n
CRITICAL CVE-2026-27577 9.9

n8n: Code Injection enables RCE

Same package: n8n
CRITICAL CVE-2026-27494 9.9

n8n: security flaw enables exploitation

Same package: n8n
Back to Threat Feed