CVE-2026-56354

Summary

n8n before 1.123.24, 2.10.4, and 2.12.0 (across its 1.x and 2.x branches) contains cross-site scripting and open redirect vulnerabilities in the Form Node due to unsanitized HTML description fields and overly permissive iframe sandbox policies. Authenticated users with workflow creation permissions can inject malicious scripts or redirect parameters to perform stored XSS attacks or phishing redirects against end users.

Affected Software

VendorProductVersion RangeStatus
n8nn8n0 < 1.123.24affected
n8nn8n1.123.24unaffected
n8nn8n2.0.0-rc.0 < 2.10.4affected
n8nn8n2.10.4unaffected
n8nn8n2.11.0 < 2.12.0affected
n8nn8n2.12.0unaffected
n8nn8n0 < 2.10.4affected
n8nn8n2.10.4unaffected
n8nn8n0 < 1.123.24affected
n8nn8n1.123.24unaffected

Weaknesses

  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References