Skip to main content

n8n EUVDEUVD-2026-27096

| CVE-2026-42228 MEDIUM
Missing Authorization (CWE-862)
2026-04-29 https://github.com/n8n-io/n8n GHSA-f77h-j2v7-g6mw
6.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Patch available
May 04, 2026 - 20:01 EUVD
CVSS changed
May 04, 2026 - 19:22 NVD
5.4 (MEDIUM) 6.3 (MEDIUM)
Source Code Evidence Fetched
Apr 29, 2026 - 22:02 vuln.today
Analysis Generated
Apr 29, 2026 - 22:02 vuln.today
Analysis Generated
Apr 29, 2026 - 21:30 vuln.today
CVE Published
Apr 29, 2026 - 21:17 nvd
MEDIUM 5.4

DescriptionGitHub Advisory

Impact

The /chat WebSocket endpoint used by the Chat Trigger node's Hosted Chat feature did not verify that an incoming connection was authorized to interact with the target execution. An unauthenticated remote attacker who could identify a valid execution ID for a workflow in a waiting state could attach to that execution, receive the pending prompt intended for the legitimate user, and submit arbitrary input to resume or influence downstream workflow behavior.

Exploitation requires the following conditions:

  • The instance exposes a public Hosted Chat workflow with authentication set to None.
  • A target execution is in a waiting state at the time of the attack.
  • The attacker can obtain or discover the execution ID of that waiting execution.

Patches

The issue has been fixed in n8n versions 1.123.32, 2.17.4, and 2.18.1. Users should upgrade to one of these versions or later to remediate the vulnerability.

Workarounds

If upgrading is not immediately possible, administrators should consider the following temporary mitigations:

  • Enable authentication on all Chat Trigger nodes by setting the Authentication field to n8n User Auth rather than None.

These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

AnalysisAI

n8n Chat Trigger's Hosted Chat feature fails to verify WebSocket connection authorization on the /chat endpoint, allowing unauthenticated remote attackers to hijack workflow executions in waiting state by obtaining the execution ID, intercept intended user prompts, and submit arbitrary input to influence downstream workflow behavior. This affects instances configured with authentication set to None. Vendor-released patches: versions 1.123.32, 2.17.4, and 2.18.1. No public exploit code identified at time of analysis.

Technical ContextAI

The vulnerability resides in n8n's Chat Trigger node's Hosted Chat feature, which uses a WebSocket endpoint at /chat to facilitate real-time communication between users and workflow executions. The underlying issue is an authentication bypass in the WebSocket connection handler - the endpoint accepts incoming connections without validating whether the connecting client is authorized to interact with the specified execution. The CWE-862 (Missing Authorization) classification indicates the root cause: the application fails to enforce proper access control checks before granting access to sensitive execution state and input channels. When a workflow is paused at a Chat Trigger node awaiting user input, the execution enters a waiting state and receives a unique execution ID. An attacker who discovers this execution ID can establish an unauthenticated WebSocket connection and gain direct access to the same execution context, bypassing the intended authentication model that should protect user interactions.

RemediationAI

Vendor-released patch: upgrade to n8n version 1.123.32 (if on 1.x branch), 2.17.4 (if on 2.x stable), or 2.18.1 or later (if on 2.18.x development). For immediate deployment on instances that cannot upgrade, enable authentication on all Chat Trigger nodes by changing the Authentication field from None to n8n User Auth - this forces legitimate users to authenticate before accessing the Chat Trigger, preventing unauthenticated WebSocket hijacking. The workaround does not fully remediate the underlying authorization bypass but significantly reduces attack surface by eliminating the unauthenticated path. Organizations should treat this as a temporary measure (documented by vendor as short-term only) and prioritize patching within 1-2 weeks. After upgrading, test Chat workflows to confirm execution state transitions and WebSocket connectivity function correctly, as authentication enforcement may affect existing integrations relying on unauthenticated access.

Share

EUVD-2026-27096 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy