CVE-2026-42228

MEDIUM LAB

n8n: Hijacking of Unauthenticated Chat Execution

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-42228. PoCs published by rudSarkar.

AI-analyzed exploit summary This repository contains a functional exploit PoC for CVE-2026-42228, an unauthenticated chat execution hijacking vulnerability in n8n. The exploit leverages a WebSocket endpoint that fails to validate user authorization, allowing an attacker to inject arbitrary chat input into a waiting workflow execution.

Description

n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the /chat WebSocket endpoint used by the Chat Trigger node's Hosted Chat feature did not verify that an incoming connection was authorized to interact with the target execution. An unauthenticated remote attacker who could identify a valid execution ID for a workflow in a waiting state could attach to that execution, receive the pending prompt intended for the legitimate user, and submit arbitrary input to resume or influence downstream workflow behavior. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.

Exploits (1)

nomisec WORKING POC

by rudSarkar · poc

https://github.com/rudSarkar/CVE-2026-42228

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2026-42228, an unauthenticated chat execution hijacking vulnerability in n8n. The exploit leverages a WebSocket endpoint that fails to validate user authorization, allowing an attacker to inject arbitrary chat input into a waiting workflow execution.

Classification

Working Poc 100%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: n8n < 1.123.32

No auth needed

Prerequisites: A public Hosted Chat workflow with Authentication = None is active · At least one execution is currently in the waiting state · The attacker can guess or enumerate the numeric execution ID

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed May 07, 2026 Full analysis →

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/n8n-io/n8n/security/advisories/GHSA-f77h-j2v7-g6mw

Scores

CVSS v3 6.5

EPSS 0.0008

EPSS Percentile 23.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Lab Environment

COMMUNITY

Community Lab

docker pull n8nio/n8n:1.123.22

docker pull n8n-chat-hijack-poc:latest

https://github.com/rudSarkar/CVE-2026-42228

View in Library

Details

CWE

CWE-862

Status published

Products (8)

n8n/n8n 2.18.0

n8n/n8n < 1.123.32

n8n-io/n8n < 1.123.32

n8n-io/n8n >= 2.17.0, < 2.17.4

n8n-io/n8n >= 2.18.0, < 2.18.1

npm/n8n 0 - 1.123.32npm

npm/n8n 2.0.0 - 2.17.4npm

npm/n8n 2.18.0 - 2.18.1npm

Published May 04, 2026

Tracked Since May 05, 2026