Description
n8n contains a stored cross-site scripting vulnerability in the Chat Trigger node's Custom CSS field due to a misconfiguration of the sanitize-html library. Affected releases are those before 1.123.27, the 2.0.0 through 2.13.2 line, and 2.14.0 (fixed in 1.123.27, 2.13.3, and 2.14.1). An authenticated user with permission to create or modify workflows can inject JavaScript that bypasses sanitization, resulting in stored XSS against any user who visits the public chat page.
Published: 2026-06-30
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

n8n’s Chat Trigger node allows users to enter custom CSS. A misconfiguration of the sanitize‑html library enables malicious JavaScript to be stored in that field, which is subsequently rendered on the public chat page. The stored XSS can run in the browsers of any user who visits the chat page, potentially leading to session hijacking, data theft or defacement. The CVSS score of 5.1 indicates a moderate severity warning that the flaw has exploitable interaction with the application’s public interface.

Affected Systems

The vulnerability exists in all n8n releases prior to version 1.123.27, between 2.0.0 and 2.13.2 inclusive, and the 2.14.0 release. The flaw was fixed in the 1.123.27, 2.13.3, and 2.14.1 fixes. Users running any of the affected releases should verify their installed version against these thresholds.

Risk and Exploitability

The flaw can be leveraged by an authenticated user who has permission to create or modify workflows; from that point the attacker can inject and store JavaScript that will execute for all visitors of the public chat page. The EPSS value is not available, and the issue is not listed in the CISA KEV catalog, suggesting that known external exploitation is not reported yet. Nonetheless, the moderate CVSS score and the fact that the attack requires no additional network access make this vulnerability a low‑to‑moderate risk for environments with open chat pages.

Generated by OpenCVE AI on June 30, 2026 at 23:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to n8n 1.123.27 or later, 2.13.3 or later, or 2.14.1 or later to receive the authoritative patch.
  • If upgrading is delayed, limit workflow creation and modification permissions to trusted administrators so that only authorized users can insert scripts.
  • Consider disabling the Custom CSS feature or the Chat Trigger node in environments that cannot immediately patch the vulnerability.

Generated by OpenCVE AI on June 30, 2026 at 23:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Description n8n contains a stored cross-site scripting vulnerability in the Chat Trigger node's Custom CSS field due to a misconfiguration of the sanitize-html library. Affected releases are those before 1.123.27, the 2.0.0 through 2.13.2 line, and 2.14.0 (fixed in 1.123.27, 2.13.3, and 2.14.1). An authenticated user with permission to create or modify workflows can inject JavaScript that bypasses sanitization, resulting in stored XSS against any user who visits the public chat page.
Title n8n - Stored Cross-Site Scripting in Chat Trigger Node Custom CSS Field
First Time appeared N8n
N8n n8n
Weaknesses CWE-79
CPEs cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*
Vendors & Products N8n
N8n n8n
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-30T22:08:35.484Z

Reserved: 2026-06-20T21:16:53.711Z

Link: CVE-2026-56356

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T23:30:04Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')