CVE-2025-46343 is a stored cross-site scripting (XSS) vulnerability affecting versions of the n8n workflow automation platform prior to 1.90.0. n8n allows users to create and manage automated workflows, including the ability to upload and serve binary files through its attachments view endpoint. The vulnerability arises because the application does not properly restrict or sanitize the MIME type of uploaded files. Specifically, the MIME type can be manipulated via a GET parameter, allowing an attacker to force the server to respond with any MIME type, including text/html. An authenticated attacker with member-level permissions can exploit this by uploading a crafted HTML file containing malicious JavaScript code. When another authenticated user accesses the binary data endpoint with the MIME type parameter set to text/html, the malicious script executes in the context of that user's session. This script can perform unauthorized actions such as sending requests to change the victim's email address in their account settings, potentially leading to account takeover. The vulnerability requires authentication and user interaction (visiting the malicious endpoint). It has been assigned a CVSS v3.1 score of 5.0 (medium severity), reflecting the need for authentication and user interaction, but also the high confidentiality impact due to the possibility of account takeover. The issue was patched in n8n version 1.90.0. No known exploits are reported in the wild as of the publication date.

For European organizations using n8n versions prior to 1.90.0, this vulnerability poses a significant risk to the confidentiality and integrity of user accounts and potentially sensitive workflow data. Since n8n is often used to automate business-critical processes, an attacker exploiting this XSS flaw could hijack user sessions, alter account details, and potentially escalate privileges or disrupt workflows. This could lead to unauthorized access to internal systems, data leakage, or manipulation of automated processes. The requirement for authentication and member-level permissions limits the attack surface to insiders or compromised accounts, but insider threats or phishing attacks could facilitate exploitation. The impact is particularly concerning for organizations handling sensitive personal data or intellectual property, as account takeover could enable further lateral movement or data exfiltration. Additionally, the ability to execute arbitrary JavaScript in user sessions could be leveraged to perform further attacks such as stealing session tokens or deploying additional malware. The medium CVSS score reflects the balance between the attack complexity and the potential damage, but organizations with high-value workflows should treat this vulnerability seriously.

1. Upgrade n8n to version 1.90.0 or later immediately to apply the official patch that properly restricts MIME type handling and neutralizes the XSS vulnerability. 2. Implement strict access controls and monitoring for member-level accounts to detect suspicious file uploads or unusual activity. 3. Restrict the types of files that can be uploaded through the attachments endpoint by enforcing server-side MIME type validation and content inspection, rather than relying on client-supplied parameters. 4. Employ Content Security Policy (CSP) headers to limit the execution of inline scripts and reduce the impact of potential XSS attacks. 5. Educate users about the risks of interacting with untrusted links or files within the n8n environment, especially those that could trigger the binary data endpoint with manipulated MIME types. 6. Monitor logs for anomalous GET requests to the attachments endpoint with unusual MIME type parameters. 7. Consider implementing multi-factor authentication (MFA) for all users to reduce the risk of account takeover even if session hijacking occurs. 8. Conduct regular security audits and penetration tests focusing on workflow automation platforms and their file handling components.