CVE-2026-54303 n8n-io CVE debrief

Who should care

Security teams and administrators responsible for n8n workflow automation platforms should be aware of this vulnerability. Specifically, those using versions prior to 2.24.0 are at risk and should prioritize upgrading to the patched version. Additionally, users who have integrated n8n with Microsoft Teams or use the Meta trigger node may be particularly affected.

Technical summary

The vulnerability exists in the Meta and Microsoft Teams trigger nodes of the n8n platform. When a logged-in user visits a specially crafted URL, an attacker can inject malicious scripts into the HTTP response. This is possible because the endpoint reflects a query parameter without proper sanitization or Content-Security-Policy headers. The CVSS:4.0 vector for this vulnerability is AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. The weakness associated with this vulnerability is CWE-79, Improper Neutralization of Input During Web Page Generation.

Defensive priority

This vulnerability should be prioritized for remediation due to its MEDIUM severity and potential impact on n8n users. Upgrading to version 2.24.0 or later is strongly recommended.

Recommended defensive actions

• Upgrade n8n to version 2.24.0 or later
• Review and sanitize user input for query parameters in affected nodes
• Implement Content-Security-Policy headers for n8n endpoints
• Monitor n8n instances for suspicious activity
• Educate users on safe browsing practices when using n8n

Evidence notes

The CVE record and NVD detail provide official information about the vulnerability. The source item URL from NVD offers additional context. A mitigation or vendor reference from GitHub provides further guidance on addressing the issue.

Official resources