Description
n8n is an open source workflow automation platform. Prior to 1.123.55, 2.25.7, and 2.26.2, an authenticated user with workflow edit access could configure a Respond to Webhook node to serve binary content with an attacker-controlled Content-Type. The binary response path bypassed the central Content-Security-Policy sandbox header, allowing a public webhook to execute JavaScript in the n8n origin when visited by an authenticated user, with access to that user's session. This vulnerability is fixed in 1.123.55, 2.25.7, and 2.26.2.
Published: 2026-06-23
Score: 7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated user with workflow edit permissions can configure a Respond to Webhook node to serve binary content while manipulating the Content-Type header. The response path bypasses the central Content‑Security‑Policy sandbox, permitting a publicly accessible webhook to execute arbitrary JavaScript in the n8n origin when visited by an authenticated user. This allows an attacker to run malicious code with the privileges of the user, potentially stealing session tokens or performing further actions within the workflow platform. The vulnerability is categorized as CWE‑79, a classic cross‑site scripting weakness.

Affected Systems

n8n by n8n-io. Versions before 1.123.55, 2.25.7, and 2.26.2 are vulnerable. The fix is available in releases 1.123.55, 2.25.7, 2.26.2 and later.

Risk and Exploitability

The vulnerability carries a CVSS score of 7, indicating high severity, and is not listed in the CISA KEV catalog. The EPSS score is not available, so the current exploitation probability is unknown, though the path requires an authenticated user with workflow edit rights. An attacker who can gain or already has such permissions can trigger the vulnerable node by visiting the public webhook URL, extracting the session cookie and executing JavaScript in the victim's context. The combination of authenticated access and same‑origin execution makes the risk significant for organizations that expose public webhooks or allow broad edit rights.

Generated by OpenCVE AI on June 23, 2026 at 22:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update n8n to a patched release (1.123.55, 2.25.7, or 2.26.2).
  • Remove or temporarily disable public Respond to Webhook nodes from workflows until the system can be upgraded.
  • Restrict workflow edit permissions to trusted users and review which users can configure webhooks exposed publicly.

Generated by OpenCVE AI on June 23, 2026 at 22:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v733-mwr6-fgcm n8n: Same-Origin XSS in Respond to Webhook Node
History

Tue, 23 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description n8n is an open source workflow automation platform. Prior to 1.123.55, 2.25.7, and 2.26.2, an authenticated user with workflow edit access could configure a Respond to Webhook node to serve binary content with an attacker-controlled Content-Type. The binary response path bypassed the central Content-Security-Policy sandbox header, allowing a public webhook to execute JavaScript in the n8n origin when visited by an authenticated user, with access to that user's session. This vulnerability is fixed in 1.123.55, 2.25.7, and 2.26.2.
Title n8n: Same-Origin XSS in Respond to Webhook Node
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T15:44:58.322Z

Reserved: 2026-06-12T17:46:37.294Z

Link: CVE-2026-54301

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T22:15:04Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')