GHSA-h86q-fx34-gfjr: n8n: Reflected XSS via Facebook, WhatsApp, and Microsoft Teams Trigger Webhook Verification Endpoints
Summary
n8n, a workflow automation tool, has a reflected XSS vulnerability (a type of attack where malicious code is injected into a webpage and executed in a user's browser) in its Facebook, WhatsApp, and Microsoft Teams trigger endpoints. When a logged-in user visits a specially crafted URL, an unsanitized query parameter gets reflected back in the response, allowing an attacker to run arbitrary code in the user's browser within n8n's origin.
Solution / Mitigation
The issue has been fixed in n8n version 2.24.0. Users should upgrade to this version or later. If upgrading is not immediately possible, administrators can temporarily: (1) limit workflow creation and activation permissions to fully trusted users only, or (2) disable the affected nodes by adding `n8n-nodes-base.facebookTrigger`, `n8n-nodes-base.whatsAppTrigger`, `n8n-nodes-base.facebookLeadAdsTrigger`, and `n8n-nodes-base.microsoftTeamsTrigger` to the `NODES_EXCLUDE` environment variable. The source notes these workarounds do not fully remediate the risk and should only be used as short-term measures.
Vulnerability Details
EPSS: 0.0%
Yes
June 16, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-h86q-fx34-gfjr
First tracked: June 16, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 85%