The vulnerability CVE-2026-25054 is a Cross-Site Scripting (XSS) flaw classified under CWE-80 and CWE-79, found in the n8n workflow automation platform's markdown rendering component. This component is responsible for rendering user-generated markdown content in the interface, including workflow sticky notes and other markdown-enabled fields. Prior to versions 1.123.9 and 2.2.1, the platform failed to properly neutralize script-related HTML tags, allowing an authenticated user with permissions to create or modify workflows to inject malicious JavaScript code. When other users interact with or view these maliciously crafted workflows, the injected scripts execute with the same-origin privileges as the n8n web application. This can lead to session hijacking, enabling attackers to steal session cookies or tokens, potentially resulting in account takeover and unauthorized access to sensitive workflow data or administrative functions. The vulnerability does not require administrative privileges but does require authenticated access with workflow modification rights, which may be granted to many users in collaborative environments. The CVSS 4.0 score is 8.5 (high), reflecting the network attack vector, low attack complexity, no required privileges beyond workflow modification, and partial user interaction. Although no exploits are currently known in the wild, the vulnerability poses a significant risk due to the potential for lateral movement and privilege escalation within affected organizations. The issue was publicly disclosed and patched promptly in versions 1.123.9 and 2.2.1, and users are strongly advised to upgrade to these or later versions.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of their automation workflows and potentially broader IT environments. n8n is increasingly adopted across various sectors including finance, healthcare, and manufacturing in Europe for automating critical business processes. Exploitation could allow malicious insiders or compromised accounts to execute arbitrary scripts in other users' browsers, leading to session hijacking, unauthorized data access, and potential lateral movement within the network. This could disrupt automated workflows, leak sensitive data, or facilitate further attacks such as privilege escalation or ransomware deployment. The impact is heightened in environments where multiple users collaborate on workflows and where n8n is integrated with other enterprise systems. Given the high CVSS score and the ease of exploitation by authenticated users, organizations face a tangible risk of account compromise and operational disruption if they do not apply patches promptly.

European organizations should immediately upgrade all n8n instances to version 1.123.9 or 2.2.1 or later to remediate this vulnerability. Beyond patching, organizations should enforce strict access controls limiting workflow creation and modification permissions to trusted users only, minimizing the attack surface. Implement multi-factor authentication (MFA) to reduce the risk of credential compromise. Regularly audit workflows for suspicious or unexpected markdown content, especially in shared environments. Employ Content Security Policy (CSP) headers to restrict script execution origins and reduce the impact of potential XSS attacks. Monitor logs for unusual user activity related to workflow modifications. Educate users about the risks of interacting with untrusted workflows and encourage reporting of suspicious behavior. Finally, consider isolating n8n instances within segmented network zones to limit lateral movement in case of compromise.