Impact
Prior to releases 1.123.55, 2.25.7 and 2.26.2 an authenticated user with workflow edit access could configure a Respond to Webhook node to serve binary content with an attacker‑controlled Content‑Type, bypassing the central Content‑Security‑Policy sandbox header and allowing a public webhook to execute JavaScript in the n8n origin when visited by the authenticated user, thereby granting the attacker access to that user’s session.
Affected Systems
n8n‑io:n8n. Versions before 1.123.55, 2.25.7 and 2.26.2 are vulnerable; the fix is available in those releases and later.
Risk and Exploitability
The CVSS score of 7 indicates high severity, the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated user with workflow edit rights; by visiting the public webhook URL the attacker can cause the vulnerable script to run in the victim’s browser context, executing code with the user’s privileges.
OpenCVE Enrichment
Github GHSA