CVE-2026-54302
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk11th percentile — higher than 11% of all known CVEs
Summary
In n8n before versions 1.123.55, 2.25.7, and 2.26.2, an authenticated user with workflow edit access could inject arbitrary JavaScript into the Chat Trigger's generated page by setting a malicious webhookId. When a logged-in user visited the chat URL, the injected code executed in the n8n origin with that user's session privileges.
Risk Assessment
An attacker could hijack another logged-in user's session, steal data, or perform unauthorized actions on their behalf, posing a serious risk to system confidentiality and integrity.
Recommendation
Immediately update n8n to version 1.123.55, 2.25.7, or 2.26.2, which contain a fix for the JavaScript injection vulnerability.
Original NVD description (English source)
n8n is an open source workflow automation platform. Prior to 1.123.55, 2.25.7, and 2.26.2, an authenticated user with workflow edit access could inject arbitrary JavaScript into the Chat Trigger's generated page by setting a malicious webhookId. When a logged-in user visited the chat URL, the injected code executed in the n8n origin with that user's session privileges. This vulnerability is fixed in 1.123.55, 2.25.7, and 2.26.2.

