CVE-2026-56356 MEDIUM

CVE-2026-56356: n8n - Stored Cross-Site Scripting in Chat Trigger Node Custom CSS Field

Vendor N8N
Product n8n
Weakness CWE-79 · XSS
Published June 30, 2026
Last update July 1, 2026

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

n8n contains a stored cross-site scripting vulnerability in the Chat Trigger node's Custom CSS field due to a misconfiguration of the sanitize-html library. Affected releases are those before 1.123.27, the 2.0.0 through 2.13.2 line, and 2.14.0 (fixed in 1.123.27, 2.13.3, and 2.14.1). An authenticated user with permission to create or modify workflows can inject JavaScript that bypasses sanitization, resulting in stored XSS against any user who visits the public chat page.

Key dates

02Disclosure timeline

June 30, 2026 CVE published
July 1, 2026 Record updated