Cross-Site Scripting Vulnerability in n8n by n8n.io
CVE-2026-56359

4.8MEDIUM

Key Information:

Vendor

N8n

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-56359?

A cross-site scripting vulnerability exists in n8n prior to version 2.8.0. The flaw allows authenticated users to inject malicious JavaScript URLs within OAuth2 credential Authorization URL fields. By crafting deceptive credentials, attackers can lure victims into clicking on the OAuth authorization button, executing arbitrary scripts in the victim's browser session under their privileges. This exposes users to significant security risks and potential data breaches.

Affected Version(s)

n8n 0 < 2.8.0

n8n 0 < 2.6.4

n8n 2.8.0

References

CVSS V4

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

yohannslm
.