AI Threat Alert AI Threat Alert

CVE-2026-25054: n8n: XSS enables session hijacking

MEDIUM
Published February 4, 2026
CISO Take

n8n is widely used to orchestrate AI agent workflows and stores credentials for LLM APIs, databases, and third-party services. An attacker with any workflow editor role can inject XSS payloads into markdown fields (sticky notes, descriptions) that execute when privileged users open the workflow, enabling full session hijack and credential exfiltration from n8n's credential vault. Patch immediately to 1.123.9 or 2.2.1 and audit who holds workflow create/modify permissions — treat this as a credential exposure risk, not just a web bug.

Risk Assessment

Effective risk is higher than the 5.4 CVSS suggests for AI-heavy environments. n8n is a trust hub: it stores API keys for OpenAI, Anthropic, vector databases, and downstream services. A session hijack against an admin account gives an attacker full access to all stored credentials, workflow logic, and connected systems. The low-privilege requirement and low attack complexity mean any disgruntled or compromised contributor can weaponize this. Not in KEV but the credential pivot potential makes this HIGH priority for teams running AI agent pipelines on n8n.

Affected Systems

Package Ecosystem Vulnerable Range Patched
n8n npm No patch
186.5K OpenSSF 6.0 16 dependents Pushed 6d ago 40% patched ~3d to patch Full package profile →

Do you use n8n? You're affected.

Severity & Risk

CVSS 3.1
5.4 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 2% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI Required
S Changed
C Low
I Low
A None

Recommended Action

6 steps

  1. PATCH

    Upgrade to n8n 1.123.9 (v1 branch) or 2.2.1 (v2 branch) immediately.

  2. RESTRICT

    Enforce least-privilege on workflow create/modify permissions — only trusted users should be able to author workflows.

  3. AUDIT

    Review all workflows for unexpected sticky notes, HTML/script content in markdown fields, or recently modified workflow descriptions.

  4. ROTATE

    Treat all credentials stored in n8n as potentially compromised if unpatched instances were accessible by untrusted users. Rotate LLM API keys, database passwords, and webhook secrets.

  5. DETECT

    Alert on unusual n8n admin session activity, new credential additions, or webhook modifications from unexpected IPs.

  6. ISOLATE

    For self-hosted deployments, restrict n8n UI access to VPN/internal network.

CISA SSVC Assessment

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass Code Execution Data Extraction Agent Framework API AML.T0011 AML.T0012 AML.T0049 AML.T0053 AML.T0055 AML.T0081 AML.T0083

Compliance Impact

This CVE is relevant to:

EU AI Act
Art.15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
A.6.1.3 - Information security in the AI supply chain A.6.2.6 - AI system security A.8.7 - Information security for AI systems
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain the value of deployed AI systems MANAGE-2.2 - Mechanisms for risk response
OWASP LLM Top 10
LLM02 - Insecure Output Handling LLM06 - Excessive Agency LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-25054?

n8n is widely used to orchestrate AI agent workflows and stores credentials for LLM APIs, databases, and third-party services. An attacker with any workflow editor role can inject XSS payloads into markdown fields (sticky notes, descriptions) that execute when privileged users open the workflow, enabling full session hijack and credential exfiltration from n8n's credential vault. Patch immediately to 1.123.9 or 2.2.1 and audit who holds workflow create/modify permissions — treat this as a credential exposure risk, not just a web bug.

Is CVE-2026-25054 actively exploited?

No confirmed active exploitation of CVE-2026-25054 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-25054?

1. PATCH: Upgrade to n8n 1.123.9 (v1 branch) or 2.2.1 (v2 branch) immediately. 2. RESTRICT: Enforce least-privilege on workflow create/modify permissions — only trusted users should be able to author workflows. 3. AUDIT: Review all workflows for unexpected sticky notes, HTML/script content in markdown fields, or recently modified workflow descriptions. 4. ROTATE: Treat all credentials stored in n8n as potentially compromised if unpatched instances were accessible by untrusted users. Rotate LLM API keys, database passwords, and webhook secrets. 5. DETECT: Alert on unusual n8n admin session activity, new credential additions, or webhook modifications from unexpected IPs. 6. ISOLATE: For self-hosted deployments, restrict n8n UI access to VPN/internal network.

What systems are affected by CVE-2026-25054?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, API integrations, RAG pipelines, workflow orchestration.

What is the CVSS score for CVE-2026-25054?

CVE-2026-25054 has a CVSS v3.1 base score of 5.4 (MEDIUM). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

n8n is an open source workflow automation platform. Prior to versions 1.123.9 and 2.2.1, a Cross-Site Scripting (XSS) vulnerability existed in a markdown rendering component used in n8n's interface, including workflow sticky notes and other areas that support markdown content. An authenticated user with permission to create or modify workflows could abuse this to execute scripts with same-origin privileges when other users interact with a maliciously crafted workflow. This could lead to session hijacking and account takeover. This issue has been patched in versions 1.123.9 and 2.2.1.

Exploitation Scenario

An attacker with a low-privilege n8n account (e.g., a contractor or shared team account) creates a workflow and embeds a JavaScript payload in a sticky note using a markdown rendering bypass. The payload exfiltrates the victim's session cookie to an attacker-controlled endpoint. An admin or senior developer opens the workflow for review — standard collaborative behavior. The script executes in their browser with same-origin privileges, sends the session token to the attacker, who then authenticates as the admin. The attacker navigates to n8n Credentials, exports all stored secrets (OpenAI API key, Pinecone token, Postgres credentials), and modifies existing AI agent workflows to include data exfiltration nodes or malicious tool call injections. The compromise of the AI pipeline is silent and persistent until the workflow modification is noticed.

Weaknesses (CWE)

CWE-79 Primary CWE-80 Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References

Timeline

Published
February 4, 2026
Last Modified
February 5, 2026
First Seen
February 4, 2026

Related Vulnerabilities

CRITICAL CVE-2026-33663 10.0

n8n: member role steals plaintext HTTP credentials

Same package: n8n
CRITICAL CVE-2026-33660 10.0

TensorFlow: type confusion NPD in tensor conversion

Same package: n8n
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same package: n8n
CRITICAL CVE-2026-27577 9.9

n8n: Code Injection enables RCE

Same package: n8n
CRITICAL CVE-2026-27494 9.9

n8n: security flaw enables exploitation

Same package: n8n
Back to Threat Feed