AI Threat Alert

CVE-2026-25051: n8n: XSS enables session hijacking

MEDIUM
Published February 4, 2026
CISO Take

If your organization uses n8n for AI agent orchestration or workflow automation, patch to version 1.123.2 immediately. A low-privileged user can craft a malicious workflow that hijacks admin sessions via XSS when those users interact with it — and n8n workflows routinely store API keys, database credentials, and LLM tokens. Session takeover here means full access to every credential embedded in your agent pipelines.

What is the risk?

Effective risk is higher than CVSS 5.4 suggests in AI agent contexts. While the base score reflects low-privilege auth requirement and user interaction dependency, n8n's role as an AI agent orchestration hub amplifies blast radius significantly. An attacker who hijacks a workflow admin session inherits access to all stored credentials, can modify agent behavior silently, and can pivot to downstream services. Organizations running n8n for automated AI workflows with production API keys should treat this as HIGH operational risk regardless of the medium CVSS base score.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
n8n npm No patch
193.4K OpenSSF 6.6 Pushed 3d ago 55% patched ~7d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1
5.4 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 13% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Moderate

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI Required
S Changed
C Low
I Low
A None

What should I do?

6 steps

  1. PATCH

    Upgrade n8n to 1.123.2 immediately — this is the only complete fix.

  2. AUDIT

    Review n8n access logs for unexpected workflow modifications or unusual webhook activity, especially involving admin accounts.

  3. ISOLATE

    If patching is delayed, restrict n8n to internal network access only and enforce MFA on all accounts.

  4. ROTATE

    After patching, rotate all credentials stored in n8n workflows (API keys, DB passwords, tokens) as a precaution.

  5. DETECT

    Alert on workflow edits by non-admin users or on CSP violations in browser logs if you have endpoint visibility.

  6. INVENTORY

    Enumerate all credentials stored in n8n credential store and assess their blast radius if compromised.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Auth Bypass Data Extraction Agent Framework API AML.T0011 AML.T0012 AML.T0049 AML.T0053 AML.T0081 AML.T0083

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.3 - Information security controls for AI systems A.6.2.6 - Security of AI system development and operations
NIST AI RMF
GOVERN 1.7 - Processes for ongoing identification of risks and vulnerabilities in AI systems MANAGE 2.2 - Mechanisms are in place to sustain the value of deployed AI systems MANAGE-2.2 - Mechanisms for managing identified risks
OWASP LLM Top 10
LLM05 - Improper Output Handling LLM06 - Sensitive Information Disclosure LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-25051?

If your organization uses n8n for AI agent orchestration or workflow automation, patch to version 1.123.2 immediately. A low-privileged user can craft a malicious workflow that hijacks admin sessions via XSS when those users interact with it — and n8n workflows routinely store API keys, database credentials, and LLM tokens. Session takeover here means full access to every credential embedded in your agent pipelines.

Is CVE-2026-25051 actively exploited?

No confirmed active exploitation of CVE-2026-25051 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-25051?

1. PATCH: Upgrade n8n to 1.123.2 immediately — this is the only complete fix. 2. AUDIT: Review n8n access logs for unexpected workflow modifications or unusual webhook activity, especially involving admin accounts. 3. ISOLATE: If patching is delayed, restrict n8n to internal network access only and enforce MFA on all accounts. 4. ROTATE: After patching, rotate all credentials stored in n8n workflows (API keys, DB passwords, tokens) as a precaution. 5. DETECT: Alert on workflow edits by non-admin users or on CSP violations in browser logs if you have endpoint visibility. 6. INVENTORY: Enumerate all credentials stored in n8n credential store and assess their blast radius if compromised.

What systems are affected by CVE-2026-25051?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, workflow automation pipelines, API integration layers, LLM tool-calling backends, multi-user AI development environments.

What is the CVSS score for CVE-2026-25051?

CVE-2026-25051 has a CVSS v3.1 base score of 5.4 (MEDIUM). The EPSS exploitation probability is 0.22%.

What is the AI security impact?

Affected AI Architectures

agent frameworksworkflow automation pipelinesAPI integration layersLLM tool-calling backendsmulti-user AI development environments

MITRE ATLAS Techniques

AML.T0011 User Execution
AML.T0012 Valid Accounts
AML.T0049 Exploit Public-Facing Application
AML.T0053 AI Agent Tool Invocation
AML.T0081 Modify AI Agent Configuration
AML.T0083 Credentials from AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2.3, A.6.2.6
NIST AI RMF: GOVERN 1.7, MANAGE 2.2, MANAGE-2.2
OWASP LLM Top 10: LLM05, LLM06, LLM07, LLM08

What are the technical details?

Original Advisory

n8n is an open source workflow automation platform. Prior to version 1.123.2, a Cross-Site Scripting (XSS) vulnerability has been identified in the handling of webhook responses and related HTTP endpoints. Under certain conditions, the Content Security Policy (CSP) sandbox protection intended to isolate HTML responses may not be applied correctly. An authenticated user with permission to create or modify workflows could abuse this to execute malicious scripts with same-origin privileges when other users interact with the crafted workflow. This could lead to session hijacking and account takeover. This issue has been patched in version 1.123.2.

Exploitation Scenario

An attacker with a low-privileged n8n account (e.g., a contractor or developer with workflow creation rights) creates a workflow that processes webhook responses containing a crafted XSS payload. The payload exploits the CSP sandbox bypass to execute JavaScript with same-origin privileges. The attacker then socially engineers or waits for a workspace admin to open or review the workflow. When the admin's browser executes the payload, their session token is exfiltrated to an attacker-controlled endpoint. With the admin session, the attacker silently exports all stored credentials from n8n, modifies existing AI agent workflows to route LLM queries through a logging proxy, and gains persistent access to every downstream system the AI agents are authorized to reach — including production databases, cloud APIs, and communication platforms.

Weaknesses (CWE)

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Primary

CWE-79 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'): The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

  • [Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.
  • [Implementation, Architecture and Design] Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies. For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters. Parts of the same output document may require different encodings, which will vary depending on whether the output is in the: etc. Note that HTML Entity Encoding is only appropriate for the HTML body. Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types of encoding and escaping that are needed. HTML body Element attributes (such as src="XYZ") URIs JavaScript sections Casca

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References

Timeline

Published
February 4, 2026
Last Modified
February 5, 2026
First Seen
February 4, 2026

Related Vulnerabilities

CRITICAL CVE-2026-33663 10.0

n8n: member role steals plaintext HTTP credentials

Same package: n8n
CRITICAL CVE-2026-33660 10.0

TensorFlow: type confusion NPD in tensor conversion

Same package: n8n
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same package: n8n
CRITICAL CVE-2026-27577 9.9

n8n: Code Injection enables RCE

Same package: n8n
CRITICAL CVE-2026-27494 9.9

n8n: security flaw enables exploitation

Same package: n8n
Back to Threat Feed