Executive Summary

CVE-2026-54301 is a Same-Origin Cross-Site Scripting (XSS) vulnerability in the Respond to Webhook node of n8n, an open-source workflow automation platform.

An authenticated user with workflow edit permissions could configure the Respond to Webhook node to serve binary content with a malicious Content-Type header.

This configuration bypasses the central Content-Security-Policy sandbox header, allowing JavaScript to execute within the n8n origin when an authenticated user visits the webhook.

This means that the attacker-controlled script can run with access to the authenticated user's session.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an attacker to execute arbitrary JavaScript code within the n8n origin when an authenticated user accesses a maliciously configured webhook.

Because the attack runs in the context of the authenticated user's session, it can compromise confidentiality and integrity of user data.

The vulnerability has a high severity rating (CVSS 7.0) and requires low privileges and user interaction to exploit.

There is no impact on availability.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves an authenticated user with workflow edit access configuring a Respond to Webhook node to serve binary content with a malicious Content-Type header, which bypasses the Content-Security-Policy sandbox header.

Detection would involve identifying if any Respond to Webhook nodes are configured to serve binary content with attacker-controlled Content-Type headers in n8n versions prior to 1.123.55, 2.25.7, and 2.26.2.

Since the exploit requires authentication and workflow edit permissions, commands or scripts could focus on auditing workflow configurations and permissions within n8n.

However, no specific detection commands or network scanning commands are provided in the available resources.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, upgrade n8n to one of the fixed versions: 1.123.55, 2.25.7, or 2.26.2.

If upgrading is not immediately possible, apply temporary mitigations such as restricting workflow editing permissions to trusted users only.

Another temporary mitigation is to disable the Respond to Webhook node to prevent exploitation.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an authenticated user with workflow edit access to execute JavaScript within the n8n origin by bypassing the Content-Security-Policy sandbox header. This can lead to unauthorized access to the user's session and potentially sensitive data.

Such unauthorized access and potential exposure of sensitive information could negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access and ensuring data integrity.

Remediation by upgrading to fixed versions or applying mitigations is necessary to maintain compliance and reduce the risk of data breaches.

Useful 0 Not Useful 0