CVE-2026-25051 is a Cross-Site Scripting (XSS) vulnerability classified under CWE-79 affecting n8n, an open-source workflow automation platform. The vulnerability exists in versions prior to 1.123.2 and is due to improper neutralization of input during web page generation, specifically in the handling of webhook responses and related HTTP endpoints. Under certain conditions, the Content Security Policy (CSP) sandbox, which is intended to isolate HTML responses and prevent script execution, is not correctly enforced. This flaw allows an authenticated user with permission to create or modify workflows to inject malicious scripts into the workflow's HTTP responses. When other users interact with these crafted workflows, the malicious scripts execute with same-origin privileges, enabling session hijacking, credential theft, or account takeover. The vulnerability requires the attacker to have at least workflow modification rights and some user interaction to trigger the payload. The CVSS 4.0 base score is 8.5, reflecting high severity due to network attack vector, low attack complexity, no need for elevated privileges beyond workflow modification, and high impact on confidentiality and integrity. The vulnerability has been addressed in n8n version 1.123.2 by correcting the CSP enforcement and input sanitization mechanisms. No known exploits have been reported in the wild as of the publication date.

For European organizations using n8n for workflow automation, this vulnerability poses a significant risk. An attacker with authenticated access to workflow creation or modification can embed malicious scripts that execute in the context of other users' browsers, potentially leading to session hijacking and unauthorized account access. This can compromise sensitive business processes automated via n8n, leading to data breaches, disruption of automated workflows, and potential lateral movement within the network. Given n8n's use in automating critical business functions, exploitation could impact operational integrity and confidentiality. The requirement for authenticated access limits exposure to insider threats or compromised accounts, but the risk remains substantial in environments with multiple users having workflow modification permissions. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits following public disclosure. Organizations failing to update to the patched version remain vulnerable to targeted attacks that could lead to significant data loss or operational disruption.

European organizations should prioritize upgrading n8n installations to version 1.123.2 or later, where the vulnerability is patched. Access controls should be reviewed and tightened to limit workflow creation and modification permissions to trusted users only. Implementing multi-factor authentication (MFA) for all users with elevated permissions can reduce the risk of account compromise. Monitoring and logging of workflow changes and webhook activity should be enhanced to detect suspicious modifications or unusual HTTP responses. Additionally, organizations should educate users about the risks of interacting with untrusted workflows and consider isolating n8n instances within segmented network zones to limit potential lateral movement. Employing web application firewalls (WAFs) with rules to detect and block reflected XSS payloads in HTTP responses may provide an additional layer of defense. Finally, regular security assessments and penetration testing focused on workflow automation platforms can help identify and remediate similar vulnerabilities proactively.