Description
n8n is an open source workflow automation platform. Prior to versions 1.123.27, 2.13.3, and 2.14.1, an authenticated user with permission to create or modify workflows could craft a workflow that produces an HTML binary data object without a filename. The `/rest/binary-data` endpoint served such responses inline on the n8n origin without `Content-Disposition` or `Content-Security-Policy` headers, allowing the HTML to render in the browser with full same-origin JavaScript access. By sending the resulting URL to a higher-privileged user, an attacker could execute JavaScript in the victim's authenticated session, enabling exfiltration of workflows and credentials, modification of workflows, or privilege escalation to admin. The issue has been fixed in n8n versions 1.123.27, 2.13.3, and 2.14.1. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, and/or restrict network access to the n8n instance to prevent untrusted users from accessing binary data URLs. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
Published: 2026-03-25
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting leading to data exfiltration and privilege escalation
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows an authenticated user who can create or modify workflows to embed arbitrary HTML into a binary data object that the server serves inline. Because the server does not set Content-Disposition or Content-Security-Policy headers, the browser renders the HTML with full same‑origin JavaScript access. An attacker can therefore deliver a crafted URL to a more privileged user and cause that user’s browser to execute malicious JavaScript within the authenticated session. This could lead to exfiltration of workflow data, credentials, or even escalation to administrative privileges.

Affected Systems

Affected products are the n8n open‑source workflow automation platform. Any installation running a version older than 1.123.27, 2.13.3, or 2.14.1 is vulnerable. The issue is present in all n8n releases that lack those patch versions, as indicated by the CPE entries for generic and 2.14.0. Administrators should verify the version number they are running and apply the fix when possible.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity, and the EPSS score of less than 1% suggests a low overall probability of exploitation, though the vulnerability is not listed in the CISA KEV catalog. Exploitability requires an authorized user with workflow editing rights and the ability to send a malicious link to an elevated user; the attack is performed from within the trusted network and does not need external triggering. Because the flaw can compromise confidentiality and integrity by executing arbitrary code under a higher‑privileged account, applying the vendor patch or the recommended temporary mitigations is essential.

Generated by OpenCVE AI on March 27, 2026 at 20:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade n8n to version 1.123.27, 2.13.3, or 2.14.1 or later
  • If an immediate upgrade is not possible, restrict workflow creation and editing permissions to fully trusted users only
  • Also restrict network access to the n8n instance so that untrusted users cannot reach the /rest/binary-data URLs

Generated by OpenCVE AI on March 27, 2026 at 20:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qfc3-hm4j-7q77 n8n Vulnerable to XSS via Binary Data Inline HTML Rendering
History

Fri, 27 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*
cpe:2.3:a:n8n:n8n:2.14.0:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 9.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared N8n
N8n n8n
Vendors & Products N8n
N8n n8n

Wed, 25 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description n8n is an open source workflow automation platform. Prior to versions 1.123.27, 2.13.3, and 2.14.1, an authenticated user with permission to create or modify workflows could craft a workflow that produces an HTML binary data object without a filename. The `/rest/binary-data` endpoint served such responses inline on the n8n origin without `Content-Disposition` or `Content-Security-Policy` headers, allowing the HTML to render in the browser with full same-origin JavaScript access. By sending the resulting URL to a higher-privileged user, an attacker could execute JavaScript in the victim's authenticated session, enabling exfiltration of workflows and credentials, modification of workflows, or privilege escalation to admin. The issue has been fixed in n8n versions 1.123.27, 2.13.3, and 2.14.1. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, and/or restrict network access to the n8n instance to prevent untrusted users from accessing binary data URLs. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
Title n8n Vulnerable to XSS via Binary Data Inline HTML Rendering
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

N8n N8n
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T20:07:12.197Z

Reserved: 2026-03-23T18:30:14.124Z

Link: CVE-2026-33749

cve-icon Vulnrichment

Updated: 2026-03-25T20:07:07.332Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T19:16:51.497

Modified: 2026-03-27T19:30:08.777

Link: CVE-2026-33749

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-29T20:28:12Z

Weaknesses