CVE-2026-54302: n8n: Stored XSS in Chat Trigger Node

June 16, 2026

An authenticated user with workflow edit access could inject arbitrary JavaScript into the Chat Trigger’s generated page by setting a malicious webhookId. When a logged-in user visited the chat URL, the injected code executed in the n8n origin with that user’s session privileges.

References

github.com/advisories/GHSA-42h7-m79w-wvg5
github.com/n8n-io/n8n/security/advisories/GHSA-42h7-m79w-wvg5
nvd.nist.gov/vuln/detail/CVE-2026-54302

Code Behaviors & Features

Detect and mitigate CVE-2026-54302 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →