Cross-Site Scripting and Open Redirect Vulnerabilities in n8n by n8n.io
CVE-2026-56354

5.1MEDIUM

Key Information:

Vendor

N8n

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-56354?

The n8n automation tool before versions 1.123.24, 2.10.4, and 2.12.0 contains critical vulnerabilities in the Form Node. These vulnerabilities allow authenticated users with workflow creation permissions to inject untrusted HTML and scripts into description fields, facilitating potential XSS attacks. Additionally, the application’s lax iframe sandbox policies can be exploited for open redirects, enabling adversaries to redirect users to malicious websites for phishing and other attacks. Users are advised to update to the latest versions to mitigate these risks.

Affected Version(s)

n8n 0 < 1.123.24

n8n 2.0.0-rc.0 < 2.10.4

n8n 2.11.0 < 2.12.0

References

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

tCu0n9
.