CVE-2026-56356

Summary

n8n contains a stored cross-site scripting vulnerability in the Chat Trigger node's Custom CSS field due to a misconfiguration of the sanitize-html library. Affected releases are those before 1.123.27, the 2.0.0 through 2.13.2 line, and 2.14.0 (fixed in 1.123.27, 2.13.3, and 2.14.1). An authenticated user with permission to create or modify workflows can inject JavaScript that bypasses sanitization, resulting in stored XSS against any user who visits the public chat page.

Affected Software

VendorProductVersion RangeStatus
n8nn8n0 < 1.123.27affected
n8nn8n1.123.27unaffected
n8nn8n2.0.0-rc.0 < 2.13.3affected
n8nn8n2.13.3unaffected
n8nn8n2.14.0 < 2.14.1affected
n8nn8n2.14.1unaffected
n8nn8n0 < 2.14.1affected
n8nn8n2.14.1unaffected
n8nn8n0 < 2.13.3affected
n8nn8n2.13.3unaffected

Weaknesses

  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References