Security Flaw in n8n Workflow Automation Platform Exposes Users to Attack
CVE-2026-54301

7HIGH

Key Information:

Vendor: N8n-io
Status: N8n
Vendor: CVE Published:; 23 June 2026

What is CVE-2026-54301?

The n8n workflow automation platform has a vulnerability that allows an authenticated user with workflow edit access to configure a Respond to Webhook node in a way that it can serve binary content with a maliciously crafted Content-Type. This configuration bypasses the Content-Security-Policy sandbox header, enabling a public webhook to execute JavaScript within the n8n origin. This can occur when an authenticated user accesses the webhook, potentially exposing the user's session to external threats. The issue has been addressed in versions 1.123.55, 2.25.7, and 2.26.2.

Affected Version(s)

n8n < 1.123.55 < 1.123.55

n8n >= 2.0.0-rc.0, < 2.25.7 < 2.0.0-rc.0, 2.25.7

n8n >= 2.26.0, < 2.26.2 < 2.26.0, 2.26.2

References

https://github.com/n8n-io/n8n/security/advisories/GHSA-v7...

x_refsource_CONFIRM

CVSS V4

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2026
Vulnerability Reserved
Jun 12, 2026

CVE-2026-54301 Data

JSON

N8n-io

What is CVE-2026-54301?

Affected Version(s)

References

CVSS V4

Timeline