CVE-2026-54301: n8n XSS — HIGH

Q: Is CVE-2026-54301 actively exploited?

No confirmed active exploitation of CVE-2026-54301 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-54301?

1. Patch: Upgrade to n8n 1.123.55, 2.25.7, or 2.26.2 immediately — these versions fix the CSP bypass in the binary response path. 2. Immediate workaround (if patching is delayed): set NODES_EXCLUDE=n8n-nodes-base.respondToWebhook in n8n environment variables to disable the vulnerable node entirely. 3. Access control: restrict workflow creation and editing to the minimum set of fully trusted users — reducing the attacker's entry surface. 4. Detection: audit all existing workflows for Respond to Webhook nodes with non-standard or manually specified Content-Type values; cross-reference against n8n audit logs for recent workflow modifications by unexpected users. 5. Credential rotation: after patching, rotate all AI service API keys, database credentials, and webhook secrets stored in n8n workflows as a precautionary measure against pre-patch exploitation.

Q: What systems are affected by CVE-2026-54301?

This vulnerability affects the following AI/ML architecture patterns: AI agent orchestration platforms, LLM workflow automation pipelines, RAG pipelines with external tool connectors, Multi-tool AI agent frameworks, Automated AI data ingestion pipelines.

Q: What is the CVSS score for CVE-2026-54301?

CVE-2026-54301 has a CVSS v3.1 base score of 7.6 (HIGH). The EPSS exploitation probability is 0.03%.

CISO Take

An authenticated n8n user with workflow editor privileges can configure a Respond to Webhook node to serve arbitrary binary content with an attacker-controlled Content-Type header, circumventing the platform's Content-Security-Policy and executing JavaScript in the n8n origin against any authenticated visitor. For organizations using n8n to orchestrate AI agents — connecting LLMs, RAG backends, and external tool APIs — a successful exploit yields immediate session hijacking and access to every credential stored in workflow configurations: OpenAI keys, Anthropic tokens, vector database passwords. Despite no public exploit, this ranks in the top 89th percentile for exploitation likelihood per EPSS, and n8n's history of 95 prior CVEs with an OpenSSF score of 6.5/10 signals systemic security debt in this package. Patch immediately to n8n 1.123.55, 2.25.7, or 2.26.2; as a short-term workaround add n8n-nodes-base.respondToWebhook to NODES_EXCLUDE or restrict workflow edit access to fully trusted users only.

Sources: NVD EPSS GitHub Advisory ATLAS OpenSSF

What is the risk?

High risk. The CVSS 7.6 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N) reflects network-accessible exploitation requiring only low privileges and minimal complexity — any workflow editor can weaponize this with a basic understanding of HTTP Content-Type headers. The CSP bypass is particularly alarming: CSP is a last-line-of-defense control, and circumventing it exposes the full n8n origin to arbitrary script execution. The Changed scope (S:C) in the CVSS vector confirms that exploitation escapes the attacker's privilege boundary and impacts resources the attacker did not directly control. EPSS top-89th percentile places exploitation probability well above the median for CVEs at this severity level. Self-hosted n8n deployments used for AI agent orchestration carry elevated exposure given their broad external connectivity and credential concentration.

How does the attack unfold?

Initial Access

Attacker authenticates to n8n with a low-privilege workflow editor account obtained via credential compromise or insider access.

AML.T0012

Weaponized Webhook

Attacker configures a Respond to Webhook node with a JavaScript payload and an attacker-controlled Content-Type header, exploiting the CSP bypass in the binary response path.

AML.T0049

User Lure

Attacker social-engineers a higher-privileged authenticated n8n user into clicking the crafted webhook URL via a plausible integration-testing pretext.

AML.T0011.003

Session Hijack and Credential Theft

JavaScript executes in the n8n origin, exfiltrates the victim's session token, and gives the attacker full session access to all AI service credentials and workflow configurations.

AML.T0083

Initial Access

Attacker authenticates to n8n with a low-privilege workflow editor account obtained via credential compromise or insider access.

AML.T0012

Weaponized Webhook

Attacker configures a Respond to Webhook node with a JavaScript payload and an attacker-controlled Content-Type header, exploiting the CSP bypass in the binary response path.

AML.T0049

User Lure

Attacker social-engineers a higher-privileged authenticated n8n user into clicking the crafted webhook URL via a plausible integration-testing pretext.

AML.T0011.003

Session Hijack and Credential Theft

JavaScript executes in the n8n origin, exfiltrates the victim's session token, and gives the attacker full session access to all AI service credentials and workflow configurations.

AML.T0083

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	< 1.123.55	`1.123.55`
192.4K OpenSSF 6.5 Pushed 2d ago 51% patched ~3d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1

7.6 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 11% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC Low

PR Low

UI Required

S Changed

C High

I Low

A None

What should I do?

5 steps

Patch: Upgrade to n8n 1.123.55, 2.25.7, or 2.26.2 immediately — these versions fix the CSP bypass in the binary response path.
Immediate workaround (if patching is delayed): set NODES_EXCLUDE=n8n-nodes-base.respondToWebhook in n8n environment variables to disable the vulnerable node entirely.
Access control: restrict workflow creation and editing to the minimum set of fully trusted users — reducing the attacker's entry surface.
Detection: audit all existing workflows for Respond to Webhook nodes with non-standard or manually specified Content-Type values; cross-reference against n8n audit logs for recent workflow modifications by unexpected users.
Credential rotation: after patching, rotate all AI service API keys, database credentials, and webhook secrets stored in n8n workflows as a precautionary measure against pre-patch exploitation.

How is it classified?

Auth Bypass Code Execution Data Extraction Agent Plugin Framework AML.T0011.003 - Malicious Link AML.T0049 - Exploit Public-Facing Application AML.T0081 - Modify AI Agent Configuration AML.T0083 - Credentials from AI Agent Configuration AML.T0091.000 - Application Access Token AML.T0107 - Exploitation for Defense Evasion

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.5 - AI system security

NIST AI RMF

MEASURE 2.5 - AI system cybersecurity testing

OWASP LLM Top 10

LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-54301?

An authenticated n8n user with workflow editor privileges can configure a Respond to Webhook node to serve arbitrary binary content with an attacker-controlled Content-Type header, circumventing the platform's Content-Security-Policy and executing JavaScript in the n8n origin against any authenticated visitor. For organizations using n8n to orchestrate AI agents — connecting LLMs, RAG backends, and external tool APIs — a successful exploit yields immediate session hijacking and access to every credential stored in workflow configurations: OpenAI keys, Anthropic tokens, vector database passwords. Despite no public exploit, this ranks in the top 89th percentile for exploitation likelihood per EPSS, and n8n's history of 95 prior CVEs with an OpenSSF score of 6.5/10 signals systemic security debt in this package. Patch immediately to n8n 1.123.55, 2.25.7, or 2.26.2; as a short-term workaround add n8n-nodes-base.respondToWebhook to NODES_EXCLUDE or restrict workflow edit access to fully trusted users only.

Is CVE-2026-54301 actively exploited?

No confirmed active exploitation of CVE-2026-54301 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-54301?

1. Patch: Upgrade to n8n 1.123.55, 2.25.7, or 2.26.2 immediately — these versions fix the CSP bypass in the binary response path. 2. Immediate workaround (if patching is delayed): set NODES_EXCLUDE=n8n-nodes-base.respondToWebhook in n8n environment variables to disable the vulnerable node entirely. 3. Access control: restrict workflow creation and editing to the minimum set of fully trusted users — reducing the attacker's entry surface. 4. Detection: audit all existing workflows for Respond to Webhook nodes with non-standard or manually specified Content-Type values; cross-reference against n8n audit logs for recent workflow modifications by unexpected users. 5. Credential rotation: after patching, rotate all AI service API keys, database credentials, and webhook secrets stored in n8n workflows as a precautionary measure against pre-patch exploitation.

What systems are affected by CVE-2026-54301?

This vulnerability affects the following AI/ML architecture patterns: AI agent orchestration platforms, LLM workflow automation pipelines, RAG pipelines with external tool connectors, Multi-tool AI agent frameworks, Automated AI data ingestion pipelines.

What is the CVSS score for CVE-2026-54301?

CVE-2026-54301 has a CVSS v3.1 base score of 7.6 (HIGH). The EPSS exploitation probability is 0.03%.

What is the AI security impact?

Affected AI Architectures

AI agent orchestration platformsLLM workflow automation pipelinesRAG pipelines with external tool connectorsMulti-tool AI agent frameworksAutomated AI data ingestion pipelines

MITRE ATLAS Techniques

AML.T0011.003 Malicious Link

AML.T0049 Exploit Public-Facing Application

AML.T0081 Modify AI Agent Configuration

AML.T0083 Credentials from AI Agent Configuration

AML.T0091.000 Application Access Token

AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.5

NIST AI RMF: MEASURE 2.5

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

## Impact An authenticated user with workflow edit access could configure a `Respond to Webhook` node to serve binary content with an attacker-controlled `Content-Type`. The binary response path bypassed the central `Content-Security-Policy` sandbox header, allowing a public webhook to execute JavaScript in the n8n origin when visited by an authenticated user, with access to that user's session. ## Patches The issue has been fixed in n8n versions 1.123.55, 2.25.7, and 2.26.2. Users should upgrade to one of these versions or later to remediate the vulnerability. ## Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Limit workflow creation and editing permissions to fully trusted users only. - Disable the Respond to Webhook node by adding `n8n-nodes-base.respondToWebhook` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Exploitation Scenario

An attacker with n8n workflow editor access — obtained via a compromised developer account, insider threat, or a shared team credential — creates a workflow containing a Respond to Webhook node configured to return a JavaScript payload with Content-Type: text/html. Because the binary response path in n8n skips the central CSP sandbox header, the browser treats the response as renderable HTML and executes the embedded script in the n8n origin. The attacker then crafts a social engineering pretext — a message reading 'can you verify this webhook integration?' — and sends the crafted webhook URL to a higher-privileged n8n administrator. When the admin clicks the link while authenticated, the attacker's script exfiltrates the session token to attacker-controlled infrastructure. Armed with the hijacked session, the attacker silently modifies AI agent workflows to redirect LLM API calls through an attacker-controlled proxy, harvests all stored AI service credentials from workflow configurations, and establishes persistence by injecting a secondary backdoor workflow.

Weaknesses (CWE)

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Primary

CWE-79 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'): The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

[Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.
[Implementation, Architecture and Design] Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies. For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters. Parts of the same output document may require different encodings, which will vary depending on whether the output is in the: etc. Note that HTML Entity Encoding is only appropriate for the HTML body. Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types of encoding and escaping that are needed. HTML body Element attributes (such as src="XYZ") URIs JavaScript sections Casca

Source: MITRE CWE corpus.