CVE-2026-42228: n8n WebSocket auth bypass hijacks

Q: Is CVE-2026-42228 actively exploited?

No confirmed active exploitation of CVE-2026-42228 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-42228?

1. Patch immediately: upgrade to n8n 1.123.32 (v1 branch), 2.17.4, or 2.18.1 per the vendor advisory. 2. If patching is delayed, block external access to the /chat WebSocket endpoint at the network or reverse-proxy layer, restricting it to authorized IPs only. 3. Audit execution ID exposure: review whether workflow execution IDs appear in application logs, browser URLs, API responses, or error messages accessible to unauthenticated parties. 4. Enable n8n's built-in instance authentication (Basic Auth or OAuth) to add a defense-in-depth layer on all endpoints. 5. Monitor WebSocket connections for anomalous concurrent sessions on the same execution ID as an indicator of exploitation. 6. Treat any prompts in transit through Chat Trigger workflows on unpatched instances as potentially compromised and rotate any sensitive credentials or instructions embedded in workflow system prompts.

Q: What systems are affected by CVE-2026-42228?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, LLM workflow orchestration, RAG pipelines, No-code/low-code AI automation.

Q: What is the CVSS score for CVE-2026-42228?

No CVSS score has been assigned yet.

CISO Take

n8n's /chat WebSocket endpoint lacks any authorization check, allowing an unauthenticated attacker who obtains a valid execution ID to attach to a live workflow session mid-execution, intercept the queued prompt intended for the legitimate user, and inject arbitrary input that steers all downstream agentic behavior. In AI-native environments where n8n orchestrates LLM chains, RAG queries, or tool-calling agents, this translates directly into workflow hijacking — an adversary can redirect automated decisions, exfiltrate sensitive prompts and system instructions passing between nodes, and trigger tool invocations with attacker-controlled payloads. EPSS places this in the top 81st percentile for exploitation likelihood, and with 75 historical CVEs in the same package and a risk score of 69/100, n8n's security track record demands scrutiny beyond this single finding. Upgrade immediately to n8n 1.123.32, 2.17.4, or 2.18.1; if patching is delayed, block the /chat WebSocket at the reverse-proxy layer and audit execution ID exposure in application logs and URLs.

Sources: NVD EPSS GitHub Advisory ATLAS OpenSSF

What is the risk?

Medium-High for organizations using n8n as an AI agent orchestrator. The vulnerability is unauthenticated and requires zero privileges — the sole barrier is obtaining a valid execution ID for a workflow in a waiting state. Execution IDs may be discoverable through application logs, referrer headers, URL enumeration, API responses, or timing attacks against workflow creation. EPSS of 0.00063 in the 81st percentile reflects the relative exploitability of missing-authorization flaws at scale. The absence of a public exploit and CISA KEV listing tempers immediate urgency, but the agentic attack surface substantially amplifies potential impact beyond a typical web application auth bypass.

How does the attack unfold?

Execution ID Reconnaissance

Attacker identifies a valid workflow execution ID in a waiting state through application logs, URL enumeration, timing analysis of workflow creation, or API response inspection.

AML.T0006

Unauthorized WebSocket Attachment

Attacker connects to the unauthenticated /chat WebSocket endpoint using the discovered execution ID, bypassing all authorization checks and racing the legitimate user to claim the session.

AML.T0049

Prompt Interception

Attacker receives the pending prompt intended for the legitimate user, potentially exposing sensitive system instructions, user PII, proprietary context, or secrets embedded in workflow data.

AML.T0057

Workflow Hijack and Impact

Attacker submits arbitrary input to resume the workflow, injecting adversary-controlled data that steers downstream LLM calls, tool invocations, webhook triggers, and API actions.

AML.T0080.001

Execution ID Reconnaissance

Attacker identifies a valid workflow execution ID in a waiting state through application logs, URL enumeration, timing analysis of workflow creation, or API response inspection.

AML.T0006

Unauthorized WebSocket Attachment

Attacker connects to the unauthenticated /chat WebSocket endpoint using the discovered execution ID, bypassing all authorization checks and racing the legitimate user to claim the session.

AML.T0049

Prompt Interception

Attacker receives the pending prompt intended for the legitimate user, potentially exposing sensitive system instructions, user PII, proprietary context, or secrets embedded in workflow data.

AML.T0057

Workflow Hijack and Impact

Attacker submits arbitrary input to resume the workflow, injecting adversary-controlled data that steers downstream LLM calls, tool invocations, webhook triggers, and API actions.

AML.T0080.001

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	< 1.123.32	`1.123.32`
193.4K OpenSSF 6.6 Pushed 4d ago 54% patched ~7d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

0.4%

chance of exploitation in 30 days

Higher than 30% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

6 steps

Patch immediately: upgrade to n8n 1.123.32 (v1 branch), 2.17.4, or 2.18.1 per the vendor advisory.
If patching is delayed, block external access to the /chat WebSocket endpoint at the network or reverse-proxy layer, restricting it to authorized IPs only.
Audit execution ID exposure: review whether workflow execution IDs appear in application logs, browser URLs, API responses, or error messages accessible to unauthenticated parties.
Enable n8n's built-in instance authentication (Basic Auth or OAuth) to add a defense-in-depth layer on all endpoints.
Monitor WebSocket connections for anomalous concurrent sessions on the same execution ID as an indicator of exploitation.
Treat any prompts in transit through Chat Trigger workflows on unpatched instances as potentially compromised and rotate any sensitive credentials or instructions embedded in workflow system prompts.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass Data Extraction Prompt Injection Agent Framework Plugin AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0057 - LLM Data Leakage AML.T0080 - AI Agent Context Poisoning AML.T0080.001 - Thread

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.4 - AI system security controls A.9.2 - Responsibilities for use of AI systems

NIST AI RMF

GOVERN-1.1 - Policies for trustworthy AI MANAGE-2.4 - Mechanisms to address and recover from AI risks

OWASP LLM Top 10

LLM06 - Sensitive Information Disclosure LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-42228?

n8n's /chat WebSocket endpoint lacks any authorization check, allowing an unauthenticated attacker who obtains a valid execution ID to attach to a live workflow session mid-execution, intercept the queued prompt intended for the legitimate user, and inject arbitrary input that steers all downstream agentic behavior. In AI-native environments where n8n orchestrates LLM chains, RAG queries, or tool-calling agents, this translates directly into workflow hijacking — an adversary can redirect automated decisions, exfiltrate sensitive prompts and system instructions passing between nodes, and trigger tool invocations with attacker-controlled payloads. EPSS places this in the top 81st percentile for exploitation likelihood, and with 75 historical CVEs in the same package and a risk score of 69/100, n8n's security track record demands scrutiny beyond this single finding. Upgrade immediately to n8n 1.123.32, 2.17.4, or 2.18.1; if patching is delayed, block the /chat WebSocket at the reverse-proxy layer and audit execution ID exposure in application logs and URLs.

Is CVE-2026-42228 actively exploited?

No confirmed active exploitation of CVE-2026-42228 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-42228?

1. Patch immediately: upgrade to n8n 1.123.32 (v1 branch), 2.17.4, or 2.18.1 per the vendor advisory. 2. If patching is delayed, block external access to the /chat WebSocket endpoint at the network or reverse-proxy layer, restricting it to authorized IPs only. 3. Audit execution ID exposure: review whether workflow execution IDs appear in application logs, browser URLs, API responses, or error messages accessible to unauthenticated parties. 4. Enable n8n's built-in instance authentication (Basic Auth or OAuth) to add a defense-in-depth layer on all endpoints. 5. Monitor WebSocket connections for anomalous concurrent sessions on the same execution ID as an indicator of exploitation. 6. Treat any prompts in transit through Chat Trigger workflows on unpatched instances as potentially compromised and rotate any sensitive credentials or instructions embedded in workflow system prompts.

What systems are affected by CVE-2026-42228?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, LLM workflow orchestration, RAG pipelines, No-code/low-code AI automation.

What is the CVSS score for CVE-2026-42228?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

AI agent frameworksLLM workflow orchestrationRAG pipelinesNo-code/low-code AI automation

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0057 LLM Data Leakage

AML.T0080 AI Agent Context Poisoning

AML.T0080.001 Thread

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.6.2.4, A.9.2

NIST AI RMF: GOVERN-1.1, MANAGE-2.4

OWASP LLM Top 10: LLM06, LLM08

What are the technical details?

Original Advisory

n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the /chat WebSocket endpoint used by the Chat Trigger node's Hosted Chat feature did not verify that an incoming connection was authorized to interact with the target execution. An unauthenticated remote attacker who could identify a valid execution ID for a workflow in a waiting state could attach to that execution, receive the pending prompt intended for the legitimate user, and submit arbitrary input to resume or influence downstream workflow behavior. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.

Exploitation Scenario

An attacker targeting an organization using n8n for an AI-powered internal helpdesk or customer-facing LLM workflow first enumerates valid workflow execution IDs — perhaps by polling the /chat endpoint during known workflow invocation windows, analyzing application logs leaked via a separate misconfiguration, or timing HTTP responses to infer active executions. Once a valid waiting execution is identified, the attacker connects to the /chat WebSocket endpoint with that ID before the legitimate user responds. The attacker receives the pending prompt in full — which may include a proprietary system prompt, a user's sensitive query, or PII collected upstream in the workflow. They then submit a crafted response: injecting instructions that redirect an LLM API call to exfiltrate data, poisoning a vector database write node with malicious embeddings, or triggering a webhook tool node to send data to an attacker-controlled endpoint. The legitimate user receives no indication the workflow was hijacked.

Weaknesses (CWE)

CWE-862 Missing Authorization Primary CWE-862 Missing Authorization Primary

CWE-862 — Missing Authorization: The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

[Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
[Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Source: MITRE CWE corpus.