{"data":{"id":"08161e0d-2593-4d41-ba46-6f50217454ae","title":"GHSA-42h7-m79w-wvg5: n8n: Stored XSS in Chat Trigger Node","summary":"n8n (a workflow automation tool) has a stored XSS vulnerability (cross-site scripting, where malicious code is saved and runs when users visit a page) in its Chat Trigger feature. An authenticated user with edit access could inject harmful JavaScript code that executes with the privileges of anyone who visits the chat URL, potentially compromising their session.","solution":"The issue has been fixed in n8n versions 1.123.55, 2.25.7, and 2.26.2. Users should upgrade to one of these versions or later. If upgrading is not immediately possible, administrators can: limit workflow creation and editing permissions to fully trusted users only, or disable the Chat Trigger node by adding `@n8n/n8n-nodes-langchain.chatTrigger` to the `NODES_EXCLUDE` environment variable. The source notes these workarounds do not fully remediate the risk and should only be used as short-term measures.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-42h7-m79w-wvg5","publishedAt":"2026-06-16T22:39:32.000Z","cveId":"CVE-2026-54302","cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["prompt_injection"],"issueType":"vulnerability","affectedPackages":["n8n@>= 2.0.0-rc.0, < 2.25.7 (fixed: 2.25.7)","n8n@>= 2.26.0, < 2.26.2 (fixed: 2.26.2)","n8n@< 1.123.55 (fixed: 1.123.55)"],"affectedVendors":["LangChain"],"affectedVendorsRaw":["n8n","LangChain"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-06-16T22:39:32.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality"],"aiComponentTargeted":"agent","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":["AML.T0051"]}}