Main Vulnerability Database Vulnerabilities #VU134565

Cross-site scripting in n8n - CVE-2026-54301

Published: June 16, 2026

Vulnerability identifier: #VU134565

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-54301

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: n8n

Affected software:
n8n

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary JavaScript in the n8n origin.

The vulnerability exists due to improper neutralization of input during web page generation in the Respond to Webhook node when serving binary content with an attacker-controlled Content-Type through a public webhook. A remote user can configure a webhook response to deliver crafted content to execute arbitrary JavaScript in the n8n origin.

User interaction is required, and the victim must visit the public webhook while authenticated to n8n.

How to mitigate CVE-2026-54301

Install security update from vendor's website.

Sources

https://github.com/n8n-io/n8n/security/advisories/GHSA-v733-mwr6-fgcm

Cross-site scripting in n8n - CVE-2026-54301

Detailed vulnerability description

How to mitigate CVE-2026-54301

Sources

Please verify you're human