CVE-2026-25051
📋 TL;DR
An authenticated user with workflow creation/modification permissions in n8n can exploit a Cross-Site Scripting (XSS) vulnerability by crafting malicious workflows. When other users interact with these workflows, malicious scripts execute with same-origin privileges, potentially leading to session hijacking and account takeover. This affects all n8n instances running versions prior to 1.123.2.
💻 Affected Systems
- n8n
📦 What is this software?
N8n by N8n
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover of administrators or other users, leading to data theft, privilege escalation, and full compromise of the n8n instance.
Likely Case
Session hijacking of users who interact with malicious workflows, allowing attackers to perform actions as those users and potentially access sensitive workflow data.
If Mitigated
Limited impact if proper authentication controls, user permission restrictions, and network segmentation are in place.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of workflow creation. The vulnerability is in the CSP implementation, making exploitation straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.123.2
Vendor Advisory: https://github.com/n8n-io/n8n/security/advisories/GHSA-825q-w924-xhgx
Restart Required: Yes
Instructions:
1. Backup your n8n instance. 2. Update n8n to version 1.123.2 or later using your package manager or deployment method. 3. Restart the n8n service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict workflow creation permissions
allLimit workflow creation and modification permissions to trusted users only. Implement principle of least privilege.
Network segmentation
allIsolate n8n instances from sensitive systems and implement strict network access controls.
🧯 If You Can't Patch
- Implement strict user permission controls to limit who can create/modify workflows
- Monitor for suspicious workflow creation/modification activities and implement user behavior analytics
🔍 How to Verify
Check if Vulnerable:
Check n8n version. If version is below 1.123.2, the system is vulnerable.Check Version:
n8n --version or check package.json version fieldVerify Fix Applied:
Verify n8n version is 1.123.2 or higher and test webhook response handling functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual workflow creation/modification patterns
- Multiple failed authentication attempts followed by workflow changes
- Suspicious webhook activity
Network Indicators:
- Unexpected outbound connections from n8n instance
- Unusual HTTP request patterns to webhook endpoints
SIEM Query:
source="n8n" AND (event="workflow_created" OR event="workflow_updated") | stats count by user