CVE-2026-54303
n8n: Reflected XSS via Facebook, WhatsApp, and Microsoft Teams Trigger Webhook Verification Endpoints
In short
n8n versions before 2.24.0 have a security flaw where Facebook, WhatsApp, and Microsoft Teams webhook endpoints reflect user input directly into web pages without proper protection, allowing attackers to inject malicious scripts that execute in a logged-in user's browser.
Technical detail
A reflected XSS vulnerability exists in Meta and Microsoft Teams trigger node endpoints where unsanitized query parameters are echoed into HTTP responses without Content-Security-Policy protections. An attacker can craft a malicious URL and trick a logged-in n8n user into visiting it, causing arbitrary JavaScript execution in the context of the n8n application.
Summary generated and translated by AI from the official description.
n8n is an open source workflow automation platform. Prior to 2.24.0, an endpoint in the Meta and Microsoft Teams trigger nodes reflects a query parameter into the HTTP response without sanitization or Content-Security-Policy headers, enabling reflected XSS in the n8n origin when a logged-in user visits a crafted URL. This vulnerability is fixed in 2.24.0.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N
Affected products
n8n-io · n8nWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →