CVE-2026-33749
Stored XSS via Insecure Binary Data Handling in n8n Workflows
Publication date: 2026-03-25
Last updated on: 2026-03-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| n8n | n8n | to 1.123.27 (exc) |
| n8n | n8n | From 2.0.0 (inc) to 2.13.3 (exc) |
| n8n | n8n | 2.14.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects the n8n workflow automation platform versions prior to 1.123.27, 2.13.3, and 2.14.1. An authenticated user with permission to create or modify workflows could craft a workflow that generates an HTML binary data object without a filename. The platform's /rest/binary-data endpoint served these responses inline without proper security headers like Content-Disposition or Content-Security-Policy. This allowed the HTML to render in the browser with full same-origin JavaScript access.
By sending the URL of this crafted binary data to a higher-privileged user, an attacker could execute JavaScript in the victim's authenticated session. This could lead to exfiltration of workflows and credentials, modification of workflows, or privilege escalation to admin.
The issue has been fixed in n8n versions 1.123.27, 2.13.3, and 2.14.1. Until upgrading, temporary mitigations include limiting workflow creation and editing permissions to fully trusted users and restricting network access to the n8n instance to prevent untrusted users from accessing binary data URLs.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to execute malicious JavaScript in the context of a higher-privileged user's authenticated session on the n8n platform.
- Exfiltration of sensitive workflows and credentials.
- Modification of existing workflows.
- Privilege escalation to admin level.
These impacts can lead to unauthorized access, data leakage, and potential control over the n8n instance.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, users should upgrade n8n to versions 1.123.27, 2.13.3, 2.14.1, or later.
If upgrading is not immediately possible, administrators should consider the following temporary mitigations:
- Limit workflow creation and editing permissions to fully trusted users only.
- Restrict network access to the n8n instance to prevent untrusted users from accessing binary data URLs.
Note that these workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to execute arbitrary JavaScript in the context of higher-privileged users' authenticated sessions, potentially leading to exfiltration of workflows and credentials, unauthorized modification of workflows, or privilege escalation to admin.
Such unauthorized access and data exfiltration could impact the confidentiality and integrity of sensitive data managed within the n8n platform, which may affect compliance with data protection standards and regulations like GDPR and HIPAA that require safeguarding personal and sensitive information.
Mitigating this vulnerability by upgrading to fixed versions or applying strict access controls is necessary to reduce the risk of data breaches and maintain compliance with these standards.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the `/rest/binary-data` endpoint serving HTML binary data objects inline without proper security headers, which can be detected by inspecting HTTP responses from this endpoint.
To detect the vulnerability, you can monitor or capture HTTP traffic to the n8n instance and check if responses from `/rest/binary-data` lack the `Content-Disposition` and `Content-Security-Policy` headers and contain HTML content rendered inline.
Example commands to detect this behavior include using curl or similar tools to request the endpoint and inspect headers:
- curl -i -H "Authorization: Bearer <token>" https://<n8n-instance>/rest/binary-data/<id>
- Look for missing `Content-Disposition` and `Content-Security-Policy` headers in the response and check if the response body contains HTML content.
Alternatively, you can use network monitoring tools like Wireshark or proxy tools like Burp Suite to capture and analyze traffic to the `/rest/binary-data` endpoint for these characteristics.
Note that detection requires authenticated access with permissions to create or modify workflows, as the vulnerability is exploitable only by authenticated users with such permissions.