Cross-Site Scripting and Open Redirect Vulnerabilities in n8n by n8n.io
CVE-2026-56354
5.1MEDIUM
What is CVE-2026-56354?
The n8n automation tool before versions 1.123.24, 2.10.4, and 2.12.0 contains critical vulnerabilities in the Form Node. These vulnerabilities allow authenticated users with workflow creation permissions to inject untrusted HTML and scripts into description fields, facilitating potential XSS attacks. Additionally, the application’s lax iframe sandbox policies can be exploited for open redirects, enabling adversaries to redirect users to malicious websites for phishing and other attacks. Users are advised to update to the latest versions to mitigate these risks.
Affected Version(s)
n8n 0 < 1.123.24
n8n 2.0.0-rc.0 < 2.10.4
n8n 2.11.0 < 2.12.0
