XSS Vulnerability in n8n Workflow Automation Platform
CVE-2026-25054

8.5HIGH

Key Information:

Vendor: N8n-io
Status: N8n
Vendor: CVE Published:; 4 February 2026

What is CVE-2026-25054?

n8n, an open-source workflow automation platform, had a Cross-Site Scripting (XSS) vulnerability in its markdown rendering component prior to versions 1.123.9 and 2.2.1. This flaw allowed authenticated users with the ability to create or edit workflows to inject malicious scripts into workflow sticky notes and other markdown-supported interface areas. When another user interacted with a crafted workflow, the attacker could execute scripts with same-origin privileges, potentially leading to session hijacking and unauthorized access to accounts. This issue affects the security and integrity of user interactions within the n8n platform.

Affected Version(s)

n8n < 1.123.9 < 1.123.9

n8n < 2.2.1 < 2.2.1

References

https://github.com/n8n-io/n8n/security/advisories/GHSA-qp...

x_refsource_CONFIRM

CVSS V4

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 4, 2026
Vulnerability Reserved
Jan 28, 2026

CVE-2026-25054 Data

JSON

N8n-io

What is CVE-2026-25054?

Affected Version(s)

References

CVSS V4

Timeline