AI Threat Alert

CVE-2026-54303: n8n: reflected XSS in trigger nodes enables session hijack

GHSA-h86q-fx34-gfjr HIGH
Published June 16, 2026
CISO Take

A reflected XSS vulnerability in n8n's Meta and Microsoft Teams trigger nodes lets an attacker execute arbitrary JavaScript in an authenticated user's browser session by luring them into visiting a crafted URL — requiring only a low-privileged n8n account to craft the payload. n8n is widely deployed as an AI workflow orchestration hub, meaning a hijacked admin session can expose stored API keys for OpenAI, Anthropic, HuggingFace, and other AI services, as well as enable silent manipulation of production AI pipelines. The CVSS scope-change flag (S:C, C:H) confirms the blast radius extends beyond n8n itself into every connected AI service; and at EPSS top-88th-percentile, exploitation likelihood is elevated relative to most CVEs. Upgrade to n8n 2.24.0 immediately; if patching is blocked, disable the four affected node IDs via NODES_EXCLUDE and audit stored AI credentials for unauthorized use.

Sources: NVD EPSS GitHub Advisory ATLAS OpenSSF

What is the risk?

High risk for organizations using n8n as an AI orchestration layer. The CVSS scope:Changed vector (S:C) and C:H rating signal that exploitation breaks containment — browser-injected scripts can exfiltrate any secret visible in the n8n origin, including third-party AI API credentials. The attack surface is broad: any authenticated user who clicks a malicious link is a viable target, including n8n admins managing production AI workflows. EPSS at the 88th percentile indicates higher relative exploitation likelihood than the raw score suggests. No public exploit or KEV listing yet, but XSS is trivially weaponizable once a PoC emerges, and n8n's popularity in AI automation makes it a high-value target.

How does the attack unfold?

Reconnaissance
Attacker identifies target organization running n8n for AI workflow automation via exposed instances, job postings, or GitHub references, and locates the vulnerable Meta or Teams trigger endpoint.
AML.T0003
Malicious Link Delivery
Attacker crafts a URL with a reflected XSS payload in the trigger node query parameter and delivers it to an authenticated n8n user via phishing email or social engineering message.
AML.T0011.003
XSS Execution
Victim clicks the link while logged into n8n; injected JavaScript executes in the n8n browser origin, silently capturing session tokens and enumerating stored AI service credentials.
AML.T0049
Credential Exfiltration and Workflow Compromise
Attacker replays the hijacked session to extract stored AI API keys and modify production LLM workflows, gaining persistent access to all connected AI services.
AML.T0083

What systems are affected?

Package Ecosystem Vulnerable Range Patched
n8n npm < 2.24.0 2.24.0
192.4K OpenSSF 6.5 Pushed 3d ago 55% patched ~2d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1
7.6 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 12% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI Required
S Changed
C High
I Low
A None

What should I do?

5 steps

  1. Patch: Upgrade n8n to version 2.24.0 or later immediately — this is the only complete remediation.

  2. Workaround (if patching is delayed): Set the NODES_EXCLUDE environment variable to include n8n-nodes-base.facebookTrigger, n8n-nodes-base.whatsAppTrigger, n8n-nodes-base.facebookLeadAdsTrigger, and n8n-nodes-base.microsoftTeamsTrigger.

  3. Restrict permissions: Limit workflow creation and activation to fully trusted accounts to reduce the pool of exploitable high-privilege sessions.

  4. Credential audit: Review and rotate all stored AI service credentials (OpenAI, Anthropic, HuggingFace, etc.) in n8n if prior exploitation is suspected.

  5. Detection: Scan HTTP access logs for requests to Meta or Teams trigger endpoints containing URL-encoded script tags, event handlers, or JavaScript URIs in query parameters.

How is it classified?

Social Engineering Auth Bypass Data Extraction Agent Framework Plugin AML.T0011.003 AML.T0049 AML.T0078 AML.T0083

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.6 - AI system security
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain the value of deployed AI systems
OWASP LLM Top 10
LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-54303?

A reflected XSS vulnerability in n8n's Meta and Microsoft Teams trigger nodes lets an attacker execute arbitrary JavaScript in an authenticated user's browser session by luring them into visiting a crafted URL — requiring only a low-privileged n8n account to craft the payload. n8n is widely deployed as an AI workflow orchestration hub, meaning a hijacked admin session can expose stored API keys for OpenAI, Anthropic, HuggingFace, and other AI services, as well as enable silent manipulation of production AI pipelines. The CVSS scope-change flag (S:C, C:H) confirms the blast radius extends beyond n8n itself into every connected AI service; and at EPSS top-88th-percentile, exploitation likelihood is elevated relative to most CVEs. Upgrade to n8n 2.24.0 immediately; if patching is blocked, disable the four affected node IDs via NODES_EXCLUDE and audit stored AI credentials for unauthorized use.

Is CVE-2026-54303 actively exploited?

No confirmed active exploitation of CVE-2026-54303 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-54303?

1. Patch: Upgrade n8n to version 2.24.0 or later immediately — this is the only complete remediation. 2. Workaround (if patching is delayed): Set the NODES_EXCLUDE environment variable to include n8n-nodes-base.facebookTrigger, n8n-nodes-base.whatsAppTrigger, n8n-nodes-base.facebookLeadAdsTrigger, and n8n-nodes-base.microsoftTeamsTrigger. 3. Restrict permissions: Limit workflow creation and activation to fully trusted accounts to reduce the pool of exploitable high-privilege sessions. 4. Credential audit: Review and rotate all stored AI service credentials (OpenAI, Anthropic, HuggingFace, etc.) in n8n if prior exploitation is suspected. 5. Detection: Scan HTTP access logs for requests to Meta or Teams trigger endpoints containing URL-encoded script tags, event handlers, or JavaScript URIs in query parameters.

What systems are affected by CVE-2026-54303?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, workflow automation pipelines, AI integration platforms, LLM orchestration pipelines.

What is the CVSS score for CVE-2026-54303?

CVE-2026-54303 has a CVSS v3.1 base score of 7.6 (HIGH). The EPSS exploitation probability is 0.04%.

What is the AI security impact?

Affected AI Architectures

AI agent frameworksworkflow automation pipelinesAI integration platformsLLM orchestration pipelines

MITRE ATLAS Techniques

AML.T0011.003 Malicious Link
AML.T0049 Exploit Public-Facing Application
AML.T0078 Drive-by Compromise
AML.T0083 Credentials from AI Agent Configuration

Compliance Controls Affected

EU AI Act: Art. 15
ISO 42001: A.6.2.6
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM06:2025

What are the technical details?

Original Advisory

## Impact An endpoint in the Meta and Microsoft Teams trigger nodes reflects a query parameter into the HTTP response without sanitization or Content-Security-Policy headers, enabling reflected XSS in the n8n origin when a logged-in user visits a crafted URL. ## Patches The issue has been fixed in n8n version 2.24.0. Users should upgrade to this version or later to remediate the vulnerability. ## Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Limit workflow creation and activation permissions to fully trusted users only. - Disable the affected nodes by adding `n8n-nodes-base.facebookTrigger`, `n8n-nodes-base.whatsAppTrigger`, `n8n-nodes-base.facebookLeadAdsTrigger`, and `n8n-nodes-base.microsoftTeamsTrigger` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Exploitation Scenario

An attacker identifies an organization's n8n deployment used for AI workflow automation — via LinkedIn job postings, exposed instances on Shodan, or GitHub repos referencing the instance URL. They determine that the Microsoft Teams trigger node is active. The attacker crafts a URL targeting n8n's Teams trigger endpoint with a reflected XSS payload embedded in a query parameter — a JavaScript snippet that silently POSTs the authenticated user's session cookies to an attacker-controlled server. Via a spearphishing email or Slack message impersonating a Teams notification alert, the link is delivered to an n8n administrator. When the admin clicks while authenticated, the script executes in the n8n origin, harvests the session token, and exfiltrates it. The attacker replays the session to enumerate all stored credentials — OpenAI and Anthropic API keys, webhook secrets, OAuth tokens — then injects malicious exfiltration nodes into production LLM workflows silently.

Weaknesses (CWE)

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Primary

CWE-79 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'): The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

  • [Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.
  • [Implementation, Architecture and Design] Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies. For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters. Parts of the same output document may require different encodings, which will vary depending on whether the output is in the: etc. Note that HTML Entity Encoding is only appropriate for the HTML body. Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types of encoding and escaping that are needed. HTML body Element attributes (such as src="XYZ") URIs JavaScript sections Casca

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

References

Timeline

Published
June 16, 2026
Last Modified
June 16, 2026
First Seen
June 17, 2026

Related Vulnerabilities

CRITICAL CVE-2026-33663 10.0

n8n: member role steals plaintext HTTP credentials

Same package: n8n
CRITICAL CVE-2026-54309 10.0

n8n: MCP browser auth bypass allows full browser takeover

Same package: n8n
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same package: n8n
CRITICAL CVE-2026-33660 10.0

TensorFlow: type confusion NPD in tensor conversion

Same package: n8n
CRITICAL CVE-2026-27577 9.9

n8n: Code Injection enables RCE

Same package: n8n
Back to Threat Feed