The vulnerability identified as CVE-2026-25051 affects the n8n open-source workflow automation platform prior to version 1.123.2. It is categorized as a Cross-Site Scripting (XSS) flaw under CWE-79, caused by improper neutralization of input during web page generation. Specifically, the issue occurs in the handling of webhook responses and related HTTP endpoints where user-supplied input is embedded in HTML responses without adequate sanitization. Although n8n implements a Content Security Policy (CSP) sandbox intended to isolate HTML responses and prevent script execution, under certain conditions this CSP sandbox is not correctly applied, allowing malicious scripts to run with same-origin privileges. An attacker must be an authenticated user with permissions to create or modify workflows, enabling them to craft workflows that embed malicious scripts. When other users interact with these workflows, the scripts execute in their browsers, potentially leading to session hijacking, credential theft, or account takeover. The vulnerability does not require administrative privileges but does require some level of authenticated access and user interaction. The CVSS 4.0 base score is 8.5 (high), reflecting the network attack vector, low attack complexity, no need for privileges beyond workflow modification, and partial user interaction. The vulnerability has been addressed in n8n version 1.123.2, which properly enforces the CSP sandbox and sanitizes inputs to prevent script injection. No public exploits or active exploitation campaigns have been reported to date.

For European organizations using n8n, especially those deploying it internally for workflow automation, this vulnerability poses a significant risk. An attacker with workflow modification rights—potentially a disgruntled insider or compromised user—could inject malicious scripts that execute in the browsers of other users interacting with the workflows. This can lead to session hijacking, unauthorized access to sensitive data, and account takeover, undermining confidentiality and integrity. Given n8n's role in automating business processes, exploitation could disrupt operations or lead to data leakage. The impact is heightened in environments where multiple users collaborate on workflows or where workflows trigger sensitive actions. Since the vulnerability requires authenticated access, organizations with lax access controls or insufficient user privilege management are at greater risk. The lack of known exploits reduces immediate threat but does not eliminate the risk of future attacks, especially as awareness grows. European organizations in sectors with strict data protection regulations (e.g., GDPR) must consider the compliance implications of potential data breaches resulting from exploitation.

Organizations should immediately upgrade all n8n instances to version 1.123.2 or later, where the vulnerability is patched. Until upgrade is possible, restrict workflow creation and modification permissions to trusted users only, minimizing the attack surface. Implement strict access controls and monitor user activities related to workflow changes to detect suspicious behavior. Employ web application firewalls (WAFs) with rules to detect and block reflected XSS payloads targeting n8n endpoints. Educate users to be cautious when interacting with workflows created or modified by others, especially if unexpected behavior is observed. Regularly audit workflows for unauthorized or suspicious scripts. Additionally, review and tighten Content Security Policy configurations at the deployment level to reinforce sandboxing. Finally, maintain up-to-date backups and incident response plans to quickly recover from potential compromises.