AI Threat Alert

CVE-2026-25054: n8n: XSS enables session hijacking

MEDIUM
Published February 4, 2026
CISO Take

n8n is widely used to orchestrate AI agent workflows and stores credentials for LLM APIs, databases, and third-party services. An attacker with any workflow editor role can inject XSS payloads into markdown fields (sticky notes, descriptions) that execute when privileged users open the workflow, enabling full session hijack and credential exfiltration from n8n's credential vault. Patch immediately to 1.123.9 or 2.2.1 and audit who holds workflow create/modify permissions — treat this as a credential exposure risk, not just a web bug.

What is the risk?

Effective risk is higher than the 5.4 CVSS suggests for AI-heavy environments. n8n is a trust hub: it stores API keys for OpenAI, Anthropic, vector databases, and downstream services. A session hijack against an admin account gives an attacker full access to all stored credentials, workflow logic, and connected systems. The low-privilege requirement and low attack complexity mean any disgruntled or compromised contributor can weaponize this. Not in KEV but the credential pivot potential makes this HIGH priority for teams running AI agent pipelines on n8n.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
n8n npm No patch
193.4K OpenSSF 6.6 Pushed 3d ago 55% patched ~7d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1
5.4 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 8% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI Required
S Changed
C Low
I Low
A None

What should I do?

6 steps

  1. PATCH

    Upgrade to n8n 1.123.9 (v1 branch) or 2.2.1 (v2 branch) immediately.

  2. RESTRICT

    Enforce least-privilege on workflow create/modify permissions — only trusted users should be able to author workflows.

  3. AUDIT

    Review all workflows for unexpected sticky notes, HTML/script content in markdown fields, or recently modified workflow descriptions.

  4. ROTATE

    Treat all credentials stored in n8n as potentially compromised if unpatched instances were accessible by untrusted users. Rotate LLM API keys, database passwords, and webhook secrets.

  5. DETECT

    Alert on unusual n8n admin session activity, new credential additions, or webhook modifications from unexpected IPs.

  6. ISOLATE

    For self-hosted deployments, restrict n8n UI access to VPN/internal network.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass Code Execution Data Extraction Agent Framework API AML.T0011 AML.T0012 AML.T0049 AML.T0053 AML.T0055 AML.T0081 AML.T0083

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art.15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
A.6.1.3 - Information security in the AI supply chain A.6.2.6 - AI system security A.8.7 - Information security for AI systems
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain the value of deployed AI systems MANAGE-2.2 - Mechanisms for risk response
OWASP LLM Top 10
LLM02 - Insecure Output Handling LLM06 - Excessive Agency LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-25054?

n8n is widely used to orchestrate AI agent workflows and stores credentials for LLM APIs, databases, and third-party services. An attacker with any workflow editor role can inject XSS payloads into markdown fields (sticky notes, descriptions) that execute when privileged users open the workflow, enabling full session hijack and credential exfiltration from n8n's credential vault. Patch immediately to 1.123.9 or 2.2.1 and audit who holds workflow create/modify permissions — treat this as a credential exposure risk, not just a web bug.

Is CVE-2026-25054 actively exploited?

No confirmed active exploitation of CVE-2026-25054 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-25054?

1. PATCH: Upgrade to n8n 1.123.9 (v1 branch) or 2.2.1 (v2 branch) immediately. 2. RESTRICT: Enforce least-privilege on workflow create/modify permissions — only trusted users should be able to author workflows. 3. AUDIT: Review all workflows for unexpected sticky notes, HTML/script content in markdown fields, or recently modified workflow descriptions. 4. ROTATE: Treat all credentials stored in n8n as potentially compromised if unpatched instances were accessible by untrusted users. Rotate LLM API keys, database passwords, and webhook secrets. 5. DETECT: Alert on unusual n8n admin session activity, new credential additions, or webhook modifications from unexpected IPs. 6. ISOLATE: For self-hosted deployments, restrict n8n UI access to VPN/internal network.

What systems are affected by CVE-2026-25054?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, API integrations, RAG pipelines, workflow orchestration.

What is the CVSS score for CVE-2026-25054?

CVE-2026-25054 has a CVSS v3.1 base score of 5.4 (MEDIUM). The EPSS exploitation probability is 0.19%.

What is the AI security impact?

Affected AI Architectures

agent frameworksAPI integrationsRAG pipelinesworkflow orchestration

MITRE ATLAS Techniques

AML.T0011 User Execution
AML.T0012 Valid Accounts
AML.T0049 Exploit Public-Facing Application
AML.T0053 AI Agent Tool Invocation
AML.T0055 Unsecured Credentials
AML.T0081 Modify AI Agent Configuration
AML.T0083 Credentials from AI Agent Configuration

Compliance Controls Affected

EU AI Act: Art.15, Article 9
ISO 42001: A.6.1.3, A.6.2.6, A.8.7
NIST AI RMF: MANAGE 2.2, MANAGE-2.2
OWASP LLM Top 10: LLM02, LLM06, LLM07

What are the technical details?

Original Advisory

n8n is an open source workflow automation platform. Prior to versions 1.123.9 and 2.2.1, a Cross-Site Scripting (XSS) vulnerability existed in a markdown rendering component used in n8n's interface, including workflow sticky notes and other areas that support markdown content. An authenticated user with permission to create or modify workflows could abuse this to execute scripts with same-origin privileges when other users interact with a maliciously crafted workflow. This could lead to session hijacking and account takeover. This issue has been patched in versions 1.123.9 and 2.2.1.

Exploitation Scenario

An attacker with a low-privilege n8n account (e.g., a contractor or shared team account) creates a workflow and embeds a JavaScript payload in a sticky note using a markdown rendering bypass. The payload exfiltrates the victim's session cookie to an attacker-controlled endpoint. An admin or senior developer opens the workflow for review — standard collaborative behavior. The script executes in their browser with same-origin privileges, sends the session token to the attacker, who then authenticates as the admin. The attacker navigates to n8n Credentials, exports all stored secrets (OpenAI API key, Pinecone token, Postgres credentials), and modifies existing AI agent workflows to include data exfiltration nodes or malicious tool call injections. The compromise of the AI pipeline is silent and persistent until the workflow modification is noticed.

Weaknesses (CWE)

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Primary CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) Primary

CWE-79 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'): The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

  • [Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.
  • [Implementation, Architecture and Design] Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies. For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters. Parts of the same output document may require different encodings, which will vary depending on whether the output is in the: etc. Note that HTML Entity Encoding is only appropriate for the HTML body. Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types of encoding and escaping that are needed. HTML body Element attributes (such as src="XYZ") URIs JavaScript sections Casca

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References

Timeline

Published
February 4, 2026
Last Modified
February 5, 2026
First Seen
February 4, 2026

Related Vulnerabilities

CRITICAL CVE-2026-33663 10.0

n8n: member role steals plaintext HTTP credentials

Same package: n8n
CRITICAL CVE-2026-33660 10.0

TensorFlow: type confusion NPD in tensor conversion

Same package: n8n
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same package: n8n
CRITICAL CVE-2026-27577 9.9

n8n: Code Injection enables RCE

Same package: n8n
CRITICAL CVE-2026-27494 9.9

n8n: security flaw enables exploitation

Same package: n8n
Back to Threat Feed