Stored Cross-Site Scripting Vulnerability in n8n Chat Trigger Custom CSS
CVE-2026-56356
5.1MEDIUM
What is CVE-2026-56356?
n8n has a stored cross-site scripting vulnerability present in the Chat Trigger node's Custom CSS field due to a misconfiguration in the sanitize-html library. This allows authenticated users with the ability to create or modify workflows to inject malicious JavaScript, which can lead to successful XSS attacks on any user who later visits the public chat page. The vulnerability impacts versions of n8n prior to 1.123.27, and the ranges 2.0.0 through 2.13.2 and 2.14.0. The issue has been resolved in later releases: 1.123.27, 2.13.3, and 2.14.1. For further details, refer to the GitHub Security Advisory and the VulnCheck Advisory.
Affected Version(s)
n8n 0 < 1.123.27
n8n 2.0.0-rc.0 < 2.13.3
n8n 2.14.0 < 2.14.1
