Stored Cross-Site Scripting Vulnerability in n8n Chat Trigger Custom CSS
CVE-2026-56356

5.1MEDIUM

Key Information:

Vendor

N8n

Status
Vendor
CVE Published:
30 June 2026

What is CVE-2026-56356?

n8n has a stored cross-site scripting vulnerability present in the Chat Trigger node's Custom CSS field due to a misconfiguration in the sanitize-html library. This allows authenticated users with the ability to create or modify workflows to inject malicious JavaScript, which can lead to successful XSS attacks on any user who later visits the public chat page. The vulnerability impacts versions of n8n prior to 1.123.27, and the ranges 2.0.0 through 2.13.2 and 2.14.0. The issue has been resolved in later releases: 1.123.27, 2.13.3, and 2.14.1. For further details, refer to the GitHub Security Advisory and the VulnCheck Advisory.

Affected Version(s)

n8n 0 < 1.123.27

n8n 2.0.0-rc.0 < 2.13.3

n8n 2.14.0 < 2.14.1

References

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

JorianWoltjer
.