Skip to main content

n8n CVE-2026-54303

| EUVDEUVD-2026-38460 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-16 https://github.com/n8n-io/n8n GHSA-h86q-fx34-gfjr
6.8
CVSS 4.0 · Vendor: https://github.com/n8n-io/n8n
Share

Severity by source

Vendor (https://github.com/n8n-io/n8n) PRIMARY
6.8 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.6 HIGH

Network-accessible webhook endpoint (AV:N/AC:L) reflects attacker input to authenticated victim browser (PR:L/UI:R), with scope change enabling cross-context credential theft (S:C/C:H); limited integrity impact from constrained JavaScript execution, no availability impact.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/n8n-io/n8n).

CVSS VectorVendor: https://github.com/n8n-io/n8n

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
A
Scope
X

Lifecycle Timeline

4
CVSS changed
Jun 23, 2026 - 17:07 NVD
7.6 (MEDIUM) 6.8 (MEDIUM)
Source Code Evidence Fetched
Jun 17, 2026 - 00:34 vuln.today
Analysis Generated
Jun 17, 2026 - 00:34 vuln.today
CVE Published
Jun 16, 2026 - 22:39 github-advisory
MEDIUM 7.6

DescriptionCVE.org

Impact

An endpoint in the Meta and Microsoft Teams trigger nodes reflects a query parameter into the HTTP response without sanitization or Content-Security-Policy headers, enabling reflected XSS in the n8n origin when a logged-in user visits a crafted URL.

Patches

The issue has been fixed in n8n version 2.24.0. Users should upgrade to this version or later to remediate the vulnerability.

Workarounds

If upgrading is not immediately possible, administrators should consider the following temporary mitigations:

  • Limit workflow creation and activation permissions to fully trusted users only.
  • Disable the affected nodes by adding n8n-nodes-base.facebookTrigger, n8n-nodes-base.whatsAppTrigger, n8n-nodes-base.facebookLeadAdsTrigger, and n8n-nodes-base.microsoftTeamsTrigger to the NODES_EXCLUDE environment variable.

These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

AnalysisAI

Reflected XSS in n8n's Facebook (Meta), WhatsApp, and Microsoft Teams webhook trigger nodes allows an attacker to execute arbitrary JavaScript in an authenticated user's browser by luring them to a crafted URL targeting the vulnerable webhook verification endpoints. Affected are all n8n deployments running version < 2.24.0 with any of the four vulnerable trigger nodes active; the CVSS scope change (S:C) means successful exploitation extends beyond the n8n component itself, enabling session hijacking or theft of API credentials stored in workflows. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify internet-accessible n8n webhook verification endpoint
Delivery
Craft malicious URL with XSS payload in reflected query parameter
Exploit
Deliver URL to authenticated n8n user via phishing or embedded link
Install
Victim clicks link while logged into n8n
C2
Server reflects unsanitized payload into HTTP response
Execute
Injected JavaScript executes in victim browser under n8n origin
Impact
Exfiltrate session tokens or stored workflow API credentials

Vulnerability AssessmentAI

Exploitation Exploitation requires that the n8n instance has at least one of the following trigger nodes active and its associated webhook endpoint reachable over the network: facebookTrigger, whatsAppTrigger, facebookLeadAdsTrigger, or microsoftTeamsTrigger. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N scores 7.6, which accurately characterizes the attack as network-reachable with low complexity but requiring both an authenticated session (PR:L) and mandatory user interaction (UI:R). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies an n8n instance with an active Facebook or Microsoft Teams trigger node and a public-facing webhook verification endpoint. The attacker constructs a URL to the webhook verification endpoint with a query parameter containing a JavaScript payload (e.g., a cookie-stealing script), then delivers this URL to a logged-in n8n user via a phishing email or embedded link. …
Remediation The primary remediation is to upgrade n8n to version 2.24.0 or later, which is the vendor-confirmed fixed release per advisory GHSA-h86q-fx34-gfjr (https://github.com/n8n-io/n8n/security/advisories/GHSA-h86q-fx34-gfjr). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54303 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy