CVE-2026-56356 PUBLISHED

n8n - Stored Cross-Site Scripting in Chat Trigger Node Custom CSS Field

Assigner: VulnCheck
Reserved: 20.06.2026 Published: 30.06.2026 Updated: 01.07.2026

n8n contains a stored cross-site scripting vulnerability in the Chat Trigger node's Custom CSS field due to a misconfiguration of the sanitize-html library. Affected releases are those before 1.123.27, the 2.0.0 through 2.13.2 line, and 2.14.0 (fixed in 1.123.27, 2.13.3, and 2.14.1). An authenticated user with permission to create or modify workflows can inject JavaScript that bypasses sanitization, resulting in stored XSS against any user who visits the public chat page.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
CVSS Score: 5.1

Product Status

Vendor n8n
Product n8n
Versions Default: unaffected
  • affected from 0 to 1.123.27 (excl.)
  • Version 1.123.27 is unaffected
  • affected from 2.0.0-rc.0 to 2.13.3 (excl.)
  • Version 2.13.3 is unaffected
  • affected from 2.14.0 to 2.14.1 (excl.)
  • Version 2.14.1 is unaffected
Vendor n8n
Product n8n
Versions Default: unaffected
  • affected from 0 to 2.14.1 (excl.)
  • Version 2.14.1 is unaffected
Vendor n8n
Product n8n
Versions Default: unaffected
  • affected from 0 to 2.13.3 (excl.)
  • Version 2.13.3 is unaffected

Credits

  • JorianWoltjer reporter

References

Problem Types

  • Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE