AI Threat Alert

CVE-2026-54302: n8n: stored XSS in Chat Trigger enables session hijack

GHSA-42h7-m79w-wvg5 HIGH
Published June 16, 2026
CISO Take

n8n's LangChain Chat Trigger node contains a stored XSS where any authenticated user with workflow-edit access can inject arbitrary JavaScript by supplying a malicious webhookId — and that payload executes in the n8n origin under the full session of any logged-in user who visits the chat URL. The Changed scope in the CVSS vector (7.6 High) is the critical detail: a low-privilege attacker can directly compromise higher-privileged accounts, then walk into n8n's credential vault and harvest LLM API keys, database connection strings, and SaaS tokens for every connected service. While no public exploit exists and the CVE is absent from CISA KEV, the 88th EPSS percentile signals above-average exploitation likelihood relative to all published CVEs, and n8n's history of 105 CVEs on this package indicates persistent security debt. Patch immediately to n8n 1.123.55, 2.25.7, or 2.26.2; if that's not feasible today, restrict workflow-edit rights to fully trusted users and disable the node via NODES_EXCLUDE.

Sources: NVD GitHub Advisory EPSS OpenSSF ATLAS

What is the risk?

High severity stored XSS in a widely deployed AI workflow orchestration platform. The attack bar is low — authenticated access with workflow-edit privileges is sufficient, a permission often broadly distributed in team deployments. The Changed scope elevates effective impact beyond the attacker's own session: a compromised admin account unlocks the entire n8n credential vault. The 88th EPSS percentile reflects above-average exploitation probability among all disclosed CVEs. n8n's 105 prior CVEs and OpenSSF Scorecard of 6.5/10 indicate structural security debt that increases the likelihood this class of vulnerability will recur, warranting elevated vendor scrutiny for organizations relying on n8n as AI orchestration infrastructure.

How does the attack unfold?

Initial Access
Attacker authenticates to n8n using a low-privilege account that holds workflow creation or editing rights.
AML.T0012
Configuration Tampering
Attacker sets the Chat Trigger node's webhookId field to a JavaScript payload that will execute in the n8n origin when the chat URL is loaded.
AML.T0081
User Execution
Attacker delivers the Chat Trigger's generated chat URL to a higher-privileged user; when that user visits the link while authenticated, the XSS payload fires inside their active session.
AML.T0011.003
Credential Harvest
The injected script exfiltrates session tokens and LLM provider API keys, database connection strings, and SaaS credentials stored in the n8n credential vault to an attacker-controlled endpoint.
AML.T0083

What systems are affected?

Package Ecosystem Vulnerable Range Patched
n8n npm < 1.123.55 1.123.55
192.4K OpenSSF 6.5 Pushed 3d ago 55% patched ~2d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1
7.6 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 12% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI Required
S Changed
C High
I Low
A None

What should I do?

6 steps

  1. Upgrade to n8n 1.123.55 (v1 stable), 2.25.7, or 2.26.2 immediately — all three patch the webhookId sanitization gap.

  2. If immediate patching is blocked, restrict workflow creation and editing to fully trusted personnel via n8n RBAC.

  3. Add @n8n/n8n-nodes-langchain.chatTrigger to the NODES_EXCLUDE environment variable to disable the Chat Trigger node entirely as a stopgap.

  4. Audit existing workflows for Chat Trigger nodes with unexpected or externally-supplied webhookId values.

  5. Review n8n credential vault access logs for unauthorized access, particularly LLM provider API keys and database credentials.

  6. Rotate any credentials exposed via n8n if suspicious session activity is detected post-incident.

How is it classified?

Code Execution Data Extraction Auth Bypass Agent Framework Plugin AML.T0011 AML.T0011.003 AML.T0049 AML.T0081 AML.T0083

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 9 - Risk management system
ISO 42001
8.4 - AI system operation and monitoring
NIST AI RMF
GOVERN 1.2 - Accountability structures for AI risk management
OWASP LLM Top 10
LLM02 - Insecure Output Handling LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-54302?

n8n's LangChain Chat Trigger node contains a stored XSS where any authenticated user with workflow-edit access can inject arbitrary JavaScript by supplying a malicious webhookId — and that payload executes in the n8n origin under the full session of any logged-in user who visits the chat URL. The Changed scope in the CVSS vector (7.6 High) is the critical detail: a low-privilege attacker can directly compromise higher-privileged accounts, then walk into n8n's credential vault and harvest LLM API keys, database connection strings, and SaaS tokens for every connected service. While no public exploit exists and the CVE is absent from CISA KEV, the 88th EPSS percentile signals above-average exploitation likelihood relative to all published CVEs, and n8n's history of 105 CVEs on this package indicates persistent security debt. Patch immediately to n8n 1.123.55, 2.25.7, or 2.26.2; if that's not feasible today, restrict workflow-edit rights to fully trusted users and disable the node via NODES_EXCLUDE.

Is CVE-2026-54302 actively exploited?

No confirmed active exploitation of CVE-2026-54302 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-54302?

1. Upgrade to n8n 1.123.55 (v1 stable), 2.25.7, or 2.26.2 immediately — all three patch the webhookId sanitization gap. 2. If immediate patching is blocked, restrict workflow creation and editing to fully trusted personnel via n8n RBAC. 3. Add @n8n/n8n-nodes-langchain.chatTrigger to the NODES_EXCLUDE environment variable to disable the Chat Trigger node entirely as a stopgap. 4. Audit existing workflows for Chat Trigger nodes with unexpected or externally-supplied webhookId values. 5. Review n8n credential vault access logs for unauthorized access, particularly LLM provider API keys and database credentials. 6. Rotate any credentials exposed via n8n if suspicious session activity is detected post-incident.

What systems are affected by CVE-2026-54302?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, workflow automation, LangChain chat integrations, human-in-the-loop AI pipelines, RAG orchestration pipelines.

What is the CVSS score for CVE-2026-54302?

CVE-2026-54302 has a CVSS v3.1 base score of 7.6 (HIGH). The EPSS exploitation probability is 0.04%.

What is the AI security impact?

Affected AI Architectures

agent frameworksworkflow automationLangChain chat integrationshuman-in-the-loop AI pipelinesRAG orchestration pipelines

MITRE ATLAS Techniques

AML.T0011 User Execution
AML.T0011.003 Malicious Link
AML.T0049 Exploit Public-Facing Application
AML.T0081 Modify AI Agent Configuration
AML.T0083 Credentials from AI Agent Configuration

Compliance Controls Affected

EU AI Act: Art. 9
ISO 42001: 8.4
NIST AI RMF: GOVERN 1.2
OWASP LLM Top 10: LLM02, LLM07

What are the technical details?

Original Advisory

## Impact An authenticated user with workflow edit access could inject arbitrary JavaScript into the Chat Trigger's generated page by setting a malicious `webhookId`. When a logged-in user visited the chat URL, the injected code executed in the n8n origin with that user's session privileges. ## Patches The issue has been fixed in n8n versions 1.123.55, 2.25.7, and 2.26.2. Users should upgrade to one of these versions or later to remediate the vulnerability. ## Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Limit workflow creation and editing permissions to fully trusted users only. - Disable the Chat Trigger node by adding `@n8n/n8n-nodes-langchain.chatTrigger` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Exploitation Scenario

An attacker with low-privilege authenticated access — such as a contractor account or compromised developer credential with workflow-edit rights — creates a Chat Trigger workflow and injects a JavaScript payload into the webhookId field (e.g., a fetch() call exfiltrating document.cookie to an attacker-controlled server). The attacker then sends the Chat Trigger's generated URL to a targeted n8n administrator under a plausible pretext — 'can you review this AI chatbot workflow?' When the administrator loads the URL while authenticated, the payload fires in the n8n origin with their elevated session, silently exfiltrating their session token along with all LLM API keys and database credentials stored in the vault. The attacker now has persistent access to the full AI orchestration layer and every downstream service it connects to.

Weaknesses (CWE)

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Primary

CWE-79 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'): The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

  • [Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.
  • [Implementation, Architecture and Design] Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies. For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters. Parts of the same output document may require different encodings, which will vary depending on whether the output is in the: etc. Note that HTML Entity Encoding is only appropriate for the HTML body. Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types of encoding and escaping that are needed. HTML body Element attributes (such as src="XYZ") URIs JavaScript sections Casca

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

References

Timeline

Published
June 16, 2026
Last Modified
June 16, 2026
First Seen
June 17, 2026

Related Vulnerabilities

CRITICAL CVE-2026-33663 10.0

n8n: member role steals plaintext HTTP credentials

Same package: n8n
CRITICAL CVE-2026-54309 10.0

n8n: MCP browser auth bypass allows full browser takeover

Same package: n8n
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same package: n8n
CRITICAL CVE-2026-33660 10.0

TensorFlow: type confusion NPD in tensor conversion

Same package: n8n
CRITICAL CVE-2026-27577 9.9

n8n: Code Injection enables RCE

Same package: n8n
Back to Threat Feed