Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible webhook endpoint (AV:N/AC:L) reflects attacker input to authenticated victim browser (PR:L/UI:R), with scope change enabling cross-context credential theft (S:C/C:H); limited integrity impact from constrained JavaScript execution, no availability impact.
Primary rating from Vendor (https://github.com/n8n-io/n8n).
CVSS VectorVendor: https://github.com/n8n-io/n8n
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Impact
An endpoint in the Meta and Microsoft Teams trigger nodes reflects a query parameter into the HTTP response without sanitization or Content-Security-Policy headers, enabling reflected XSS in the n8n origin when a logged-in user visits a crafted URL.
Patches
The issue has been fixed in n8n version 2.24.0. Users should upgrade to this version or later to remediate the vulnerability.
Workarounds
If upgrading is not immediately possible, administrators should consider the following temporary mitigations:
- Limit workflow creation and activation permissions to fully trusted users only.
- Disable the affected nodes by adding
n8n-nodes-base.facebookTrigger,n8n-nodes-base.whatsAppTrigger,n8n-nodes-base.facebookLeadAdsTrigger, andn8n-nodes-base.microsoftTeamsTriggerto theNODES_EXCLUDEenvironment variable.
These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
AnalysisAI
Reflected XSS in n8n's Facebook (Meta), WhatsApp, and Microsoft Teams webhook trigger nodes allows an attacker to execute arbitrary JavaScript in an authenticated user's browser by luring them to a crafted URL targeting the vulnerable webhook verification endpoints. Affected are all n8n deployments running version < 2.24.0 with any of the four vulnerable trigger nodes active; the CVSS scope change (S:C) means successful exploitation extends beyond the n8n component itself, enabling session hijacking or theft of API credentials stored in workflows. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the n8n instance has at least one of the following trigger nodes active and its associated webhook endpoint reachable over the network: facebookTrigger, whatsAppTrigger, facebookLeadAdsTrigger, or microsoftTeamsTrigger. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N scores 7.6, which accurately characterizes the attack as network-reachable with low complexity but requiring both an authenticated session (PR:L) and mandatory user interaction (UI:R). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies an n8n instance with an active Facebook or Microsoft Teams trigger node and a public-facing webhook verification endpoint. The attacker constructs a URL to the webhook verification endpoint with a query parameter containing a JavaScript payload (e.g., a cookie-stealing script), then delivers this URL to a logged-in n8n user via a phishing email or embedded link. … |
| Remediation | The primary remediation is to upgrade n8n to version 2.24.0 or later, which is the vendor-confirmed fixed release per advisory GHSA-h86q-fx34-gfjr (https://github.com/n8n-io/n8n/security/advisories/GHSA-h86q-fx34-gfjr). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38460
GHSA-h86q-fx34-gfjr