AI Threat Alert

CVE-2026-25054

MEDIUM
Published February 4, 2026
CISO Take

n8n is widely used to orchestrate AI agent workflows and stores credentials for LLM APIs, databases, and third-party services. An attacker with any workflow editor role can inject XSS payloads into markdown fields (sticky notes, descriptions) that execute when privileged users open the workflow, enabling full session hijack and credential exfiltration from n8n's credential vault. Patch immediately to 1.123.9 or 2.2.1 and audit who holds workflow create/modify permissions — treat this as a credential exposure risk, not just a web bug.

Affected Systems

Package Ecosystem Vulnerable Range Patched
n8n npm No patch
n8n npm No patch

Severity & Risk

CVSS 3.1
5.4 / 10
EPSS
N/A
KEV Status
Not in KEV
Sophistication
Trivial

Recommended Action

  1. 1. PATCH: Upgrade to n8n 1.123.9 (v1 branch) or 2.2.1 (v2 branch) immediately. 2. RESTRICT: Enforce least-privilege on workflow create/modify permissions — only trusted users should be able to author workflows. 3. AUDIT: Review all workflows for unexpected sticky notes, HTML/script content in markdown fields, or recently modified workflow descriptions. 4. ROTATE: Treat all credentials stored in n8n as potentially compromised if unpatched instances were accessible by untrusted users. Rotate LLM API keys, database passwords, and webhook secrets. 5. DETECT: Alert on unusual n8n admin session activity, new credential additions, or webhook modifications from unexpected IPs. 6. ISOLATE: For self-hosted deployments, restrict n8n UI access to VPN/internal network.

Classification

Auth Bypass Code Execution Data Extraction Agent Framework API AML.T0011 AML.T0012 AML.T0049 AML.T0053 AML.T0055 AML.T0081 AML.T0083

Compliance Impact

This CVE is relevant to:

EU AI Act
Art.15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
A.6.1.3 - Information security in the AI supply chain A.6.2.6 - AI system security A.8.7 - Information security for AI systems
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain the value of deployed AI systems MANAGE-2.2 - Mechanisms for risk response
OWASP LLM Top 10
LLM02 - Insecure Output Handling LLM06 - Excessive Agency LLM07 - Insecure Plugin Design

Technical Details

NVD Description

n8n is an open source workflow automation platform. Prior to versions 1.123.9 and 2.2.1, a Cross-Site Scripting (XSS) vulnerability existed in a markdown rendering component used in n8n's interface, including workflow sticky notes and other areas that support markdown content. An authenticated user with permission to create or modify workflows could abuse this to execute scripts with same-origin privileges when other users interact with a maliciously crafted workflow. This could lead to session hijacking and account takeover. This issue has been patched in versions 1.123.9 and 2.2.1.

Exploitation Scenario

An attacker with a low-privilege n8n account (e.g., a contractor or shared team account) creates a workflow and embeds a JavaScript payload in a sticky note using a markdown rendering bypass. The payload exfiltrates the victim's session cookie to an attacker-controlled endpoint. An admin or senior developer opens the workflow for review — standard collaborative behavior. The script executes in their browser with same-origin privileges, sends the session token to the attacker, who then authenticates as the admin. The attacker navigates to n8n Credentials, exports all stored secrets (OpenAI API key, Pinecone token, Postgres credentials), and modifies existing AI agent workflows to include data exfiltration nodes or malicious tool call injections. The compromise of the AI pipeline is silent and persistent until the workflow modification is noticed.

Weaknesses (CWE)

CWE-79 Primary CWE-80 Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References

Timeline

Published
February 4, 2026
Last Modified
February 5, 2026
First Seen
February 4, 2026
Back to Threat Feed