Cross-site scripting in n8n - #VU137162

 

Cross-site scripting in n8n - #VU137162

Published: July 8, 2026


Vulnerability identifier: #VU137162
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: n8n
Affected software:
n8n

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary JavaScript in the victim's browser.

The vulnerability exists due to improper input validation in the Resource Locator component when opening workflow-persisted external links. A remote user can create a crafted workflow with a malicious cachedResultUrl value to execute arbitrary JavaScript in the victim's browser.

User interaction is required to open the crafted workflow and interact with external links.


Remediation

Install security update from vendor's website.

Sources