AI Threat Alert

CVE-2026-25051

MEDIUM
Published February 4, 2026
CISO Take

If your organization uses n8n for AI agent orchestration or workflow automation, patch to version 1.123.2 immediately. A low-privileged user can craft a malicious workflow that hijacks admin sessions via XSS when those users interact with it — and n8n workflows routinely store API keys, database credentials, and LLM tokens. Session takeover here means full access to every credential embedded in your agent pipelines.

Affected Systems

Package Ecosystem Vulnerable Range Patched
n8n npm No patch

Do you use n8n? You're affected.

Severity & Risk

CVSS 3.1
5.4 / 10
EPSS
N/A
KEV Status
Not in KEV
Sophistication
Moderate

Recommended Action

  1. 1. PATCH: Upgrade n8n to 1.123.2 immediately — this is the only complete fix. 2. AUDIT: Review n8n access logs for unexpected workflow modifications or unusual webhook activity, especially involving admin accounts. 3. ISOLATE: If patching is delayed, restrict n8n to internal network access only and enforce MFA on all accounts. 4. ROTATE: After patching, rotate all credentials stored in n8n workflows (API keys, DB passwords, tokens) as a precaution. 5. DETECT: Alert on workflow edits by non-admin users or on CSP violations in browser logs if you have endpoint visibility. 6. INVENTORY: Enumerate all credentials stored in n8n credential store and assess their blast radius if compromised.

Classification

Code Execution Auth Bypass Data Extraction Agent Framework API AML.T0011 AML.T0012 AML.T0049 AML.T0053 AML.T0081 AML.T0083

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.3 - Information security controls for AI systems A.6.2.6 - Security of AI system development and operations
NIST AI RMF
GOVERN 1.7 - Processes for ongoing identification of risks and vulnerabilities in AI systems MANAGE 2.2 - Mechanisms are in place to sustain the value of deployed AI systems MANAGE-2.2 - Mechanisms for managing identified risks
OWASP LLM Top 10
LLM05 - Improper Output Handling LLM06 - Sensitive Information Disclosure LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Technical Details

NVD Description

n8n is an open source workflow automation platform. Prior to version 1.123.2, a Cross-Site Scripting (XSS) vulnerability has been identified in the handling of webhook responses and related HTTP endpoints. Under certain conditions, the Content Security Policy (CSP) sandbox protection intended to isolate HTML responses may not be applied correctly. An authenticated user with permission to create or modify workflows could abuse this to execute malicious scripts with same-origin privileges when other users interact with the crafted workflow. This could lead to session hijacking and account takeover. This issue has been patched in version 1.123.2.

Exploitation Scenario

An attacker with a low-privileged n8n account (e.g., a contractor or developer with workflow creation rights) creates a workflow that processes webhook responses containing a crafted XSS payload. The payload exploits the CSP sandbox bypass to execute JavaScript with same-origin privileges. The attacker then socially engineers or waits for a workspace admin to open or review the workflow. When the admin's browser executes the payload, their session token is exfiltrated to an attacker-controlled endpoint. With the admin session, the attacker silently exports all stored credentials from n8n, modifies existing AI agent workflows to route LLM queries through a logging proxy, and gains persistent access to every downstream system the AI agents are authorized to reach — including production databases, cloud APIs, and communication platforms.

Weaknesses (CWE)

CWE-79 Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References

Timeline

Published
February 4, 2026
Last Modified
February 5, 2026
First Seen
February 4, 2026
Back to Threat Feed