Description
n8n is an open source workflow automation platform. Prior to 1.123.55, 2.25.7, and 2.26.2, an authenticated user with workflow edit access could configure a Respond to Webhook node to serve binary content with an attacker-controlled Content-Type. The binary response path bypassed the central Content-Security-Policy sandbox header, allowing a public webhook to execute JavaScript in the n8n origin when visited by an authenticated user, with access to that user's session. This vulnerability is fixed in 1.123.55, 2.25.7, and 2.26.2.
Published: 2026-06-23
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Prior to releases 1.123.55, 2.25.7 and 2.26.2 an authenticated user with workflow edit access could configure a Respond to Webhook node to serve binary content with an attacker‑controlled Content‑Type, bypassing the central Content‑Security‑Policy sandbox header and allowing a public webhook to execute JavaScript in the n8n origin when visited by the authenticated user, thereby granting the attacker access to that user’s session.

Affected Systems

n8n‑io:n8n. Versions before 1.123.55, 2.25.7 and 2.26.2 are vulnerable; the fix is available in those releases and later.

Risk and Exploitability

The CVSS score of 7 indicates high severity, the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated user with workflow edit rights; by visiting the public webhook URL the attacker can cause the vulnerable script to run in the victim’s browser context, executing code with the user’s privileges.

Generated by OpenCVE AI on June 24, 2026 at 11:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patched release (1.123.55, 2.25.7 or 2.26.2).
  • Disable or remove public Respond to Webhook nodes from workflows until the system can be upgraded.
  • Limit workflow edit permissions to trusted users and review who can configure publicly exposed webhooks.

Generated by OpenCVE AI on June 24, 2026 at 11:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v733-mwr6-fgcm n8n: Same-Origin XSS in Respond to Webhook Node
History

Wed, 24 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared N8n
N8n n8n
Vendors & Products N8n
N8n n8n

Wed, 24 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description n8n is an open source workflow automation platform. Prior to 1.123.55, 2.25.7, and 2.26.2, an authenticated user with workflow edit access could configure a Respond to Webhook node to serve binary content with an attacker-controlled Content-Type. The binary response path bypassed the central Content-Security-Policy sandbox header, allowing a public webhook to execute JavaScript in the n8n origin when visited by an authenticated user, with access to that user's session. This vulnerability is fixed in 1.123.55, 2.25.7, and 2.26.2.
Title n8n: Same-Origin XSS in Respond to Webhook Node
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T14:00:17.206Z

Reserved: 2026-06-12T17:46:37.294Z

Link: CVE-2026-54301

cve-icon Vulnrichment

Updated: 2026-06-24T14:00:13.121Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:00:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')