XSS Vulnerability in n8n Workflow Automation Platform
CVE-2026-25054

8.5HIGH

Key Information:

Vendor: N8n-io
Status: N8n
Vendor: CVE Published:; 4 February 2026

What is CVE-2026-25054?

n8n, an open-source workflow automation platform, had a Cross-Site Scripting (XSS) vulnerability in its markdown rendering component prior to versions 1.123.9 and 2.2.1. This flaw allowed authenticated users with the ability to create or edit workflows to inject malicious scripts into workflow sticky notes and other markdown-supported interface areas. When another user interacted with a crafted workflow, the attacker could execute scripts with same-origin privileges, potentially leading to session hijacking and unauthorized access to accounts. This issue affects the security and integrity of user interactions within the n8n platform.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

n8n < 1.123.9 < 1.123.9

n8n < 2.2.1 < 2.2.1

References

https://github.com/n8n-io/n8n/security/advisories/GHSA-qp...

x_refsource_CONFIRM

CVSS V4

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Timeline

Vulnerability published
Feb 4, 2026
Vulnerability Reserved
Jan 28, 2026

JSON

N8n-io