Executive Summary

CVE-2026-54303 is a reflected Cross-Site Scripting (XSS) vulnerability in the n8n workflow automation platform versions prior to 2.24.0.

The vulnerability occurs in the Meta (Facebook, WhatsApp) and Microsoft Teams trigger nodes, where a query parameter is reflected in the HTTP response without proper sanitization or Content-Security-Policy headers.

This allows an attacker to execute malicious scripts in the context of a logged-in user's session by tricking them into visiting a specially crafted URL.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an attacker to execute malicious scripts in your browser when you visit a crafted URL while logged into n8n.

The impact is primarily on confidentiality, as the attacker could potentially access sensitive information available in the user's session.

There is no impact on the integrity or availability of the system.

Exploitation requires low privileges and user interaction.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability is a reflected Cross-Site Scripting (XSS) issue in n8n versions prior to 2.24.0, specifically in the Meta and Microsoft Teams trigger nodes where a query parameter is reflected without sanitization.

Detection involves identifying if your n8n instance is running a vulnerable version and if the affected endpoints reflect query parameters unsafely.

You can test for the vulnerability by crafting a URL with a script payload in the query parameter targeting the Meta or Microsoft Teams trigger endpoints and observing if the script is reflected in the HTTP response.

Example commands to detect the vulnerability include using curl or wget to send requests with a test script payload and inspecting the response for reflected script tags.

• curl -i 'http://<n8n-host>/webhook/meta?param=<script>alert(1)</script>'
• curl -i 'http://<n8n-host>/webhook/microsoft-teams?param=<script>alert(1)</script>'

If the response contains the injected script without sanitization or Content-Security-Policy headers, the system is vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade n8n to version 2.24.0 or later, where this vulnerability is fixed.

As temporary mitigations before upgrading, you can restrict workflow creation permissions to trusted users only to reduce the risk of exploitation.

Another temporary mitigation is to disable the affected Meta and Microsoft Teams trigger nodes by setting the NODES_EXCLUDE environment variable.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability is a reflected Cross-Site Scripting (XSS) issue that allows execution of malicious scripts in the context of a logged-in user's session, potentially exposing confidential information.

Such exposure of confidential data through reflected XSS can impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information from unauthorized access or disclosure.

Therefore, if exploited, this vulnerability could lead to violations of these regulations due to confidentiality breaches.

Remediation by upgrading to n8n version 2.24.0 or later is necessary to mitigate this risk and maintain compliance.

Useful 0 Not Useful 0