CVE-2026-56359 in n8n
Summary
by MITRE • 07/08/2026
n8n before 2.8.0 contains a cross-site scripting vulnerability in the credential management flow where authenticated users can inject malicious JavaScript URLs into OAuth2 credential Authorization URL fields. Attackers can craft malicious credentials and trick victims into clicking the OAuth authorization button, executing arbitrary scripts in their browser session with the victim's privileges.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/08/2026
The vulnerability in n8n versions prior to 2.8.0 represents a critical cross-site scripting flaw within the credential management system that specifically targets the OAuth2 authorization URL field handling mechanism. This weakness exists in the web application's user interface where authenticated users can input malicious JavaScript code into credential configuration fields, particularly those related to OAuth2 authentication flows. The vulnerability stems from insufficient input validation and output encoding mechanisms that fail to properly sanitize user-supplied data before rendering it within the browser context.
The technical exploitation of this vulnerability occurs through a sophisticated social engineering attack vector where an attacker crafts malicious OAuth2 credentials containing JavaScript payloads within the Authorization URL field. When a victim with valid authentication credentials navigates to the credential management interface and attempts to use these crafted credentials, the malicious JavaScript code becomes embedded in the authorization flow. Upon clicking the OAuth authorization button, the browser executes the injected script within the victim's session context, effectively bypassing standard security boundaries.
This vulnerability directly maps to CWE-79 which defines cross-site scripting as the improper handling of untrusted data within web applications, and aligns with ATT&CK technique T1059.007 for command and scripting interpreter. The operational impact extends beyond simple script execution as it enables attackers to perform actions with the victim's privileges including accessing sensitive workflow data, modifying credential configurations, and potentially escalating their access to other system resources. The authenticated nature of the attack means that victims must have legitimate access to the n8n instance, but this still represents a significant risk given that many users maintain administrative privileges.
The security implications of this vulnerability are particularly concerning in enterprise environments where n8n instances may be used for critical automation workflows and contain sensitive integration credentials. Attackers can leverage this flaw to establish persistent access patterns or perform data exfiltration through the compromised authentication flows. Organizations using n8n should immediately implement mitigation strategies including upgrading to version 2.8.0 or later, implementing strict input validation policies for credential fields, and conducting comprehensive security reviews of existing credential configurations to identify potential malicious entries that may have already been introduced into the system.