CVE-2026-56358: n8n stored XSS — MEDIUM

CISO Take

A stored cross-site scripting vulnerability in n8n's Form Trigger node allows any authenticated user with workflow creation rights to inject persistent malicious scripts that execute in the browsers of every visitor to the affected form. For organizations using n8n to orchestrate AI agent workflows—automating LLM-powered data collection, intake pipelines, or agentic processing—a compromised or malicious internal user can silently hijack customer-facing forms, exfiltrating submitted data or redirecting users to attacker-controlled phishing pages with no further attacker interaction required. EPSS data is unavailable and no public exploit exists, but the low-privilege requirement and the stored nature of the payload mean exploitation persists silently until patched. Upgrade to n8n ≥1.123.25 (1.x branch) or ≥2.11.2/2.12.0 (2.x branch); as an immediate workaround, restrict workflow creation permissions to trusted users only and audit all Form Trigger nodes for unexpected CSS payloads.

Sources: NVD GitHub Advisory ATLAS OpenSSF

What is the risk?

Medium risk overall, but elevated for organizations using n8n as a customer-facing AI agent orchestration layer. The CVSS scope change (S:C) signals that the impact crosses security boundaries—from the attacker's authenticated session into the browsers of unauthenticated form visitors. The low-privilege requirement means any employee, contractor, or compromised account with workflow creation access becomes a viable attack vector. With 111 prior CVEs in this package and an OpenSSF Scorecard of 6.6/10, n8n carries a pattern of recurring vulnerabilities that warrants structural attention beyond this individual patch. No KEV listing or public exploit reduces immediate urgency, but the stored payload persists silently across all form visits until remediated.

How does the attack unfold?

Initial Access

Attacker authenticates to n8n using a legitimate account with workflow creation permissions, obtained via credential theft, phishing, or insider access.

AML.T0012

Payload Injection

Attacker creates or modifies a Form Trigger node, embedding a JavaScript XSS payload in the CSS field that bypasses n8n's insufficient sanitization routine.

AML.T0049

Persistence

The malicious payload is stored in n8n's database and staged for execution, firing automatically in the browser of every user who subsequently visits the compromised form.

AML.T0079

Impact

Attacker's script silently exfiltrates all form submissions and session tokens, or redirects victims to phishing pages—continuously affecting all users of the AI data intake pipeline until remediated.

AML.T0052

Initial Access

Attacker authenticates to n8n using a legitimate account with workflow creation permissions, obtained via credential theft, phishing, or insider access.

AML.T0012

Payload Injection

Attacker creates or modifies a Form Trigger node, embedding a JavaScript XSS payload in the CSS field that bypasses n8n's insufficient sanitization routine.

AML.T0049

Persistence

The malicious payload is stored in n8n's database and staged for execution, firing automatically in the browser of every user who subsequently visits the compromised form.

AML.T0079

Impact

Attacker's script silently exfiltrates all form submissions and session tokens, or redirects victims to phishing pages—continuously affecting all users of the AI data intake pipeline until remediated.

AML.T0052

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	—	No patch
193.4K OpenSSF 6.6 Pushed 3d ago 54% patched ~7d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1

5.4 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI Required

S Changed

C Low

I Low

A None

What should I do?

6 steps

Patch: upgrade to n8n ≥1.123.25 (1.x) or ≥2.11.2/2.12.0 (2.x) immediately.
Audit Form Trigger nodes: inspect all CSS fields in existing Form Trigger workflow configurations for unexpected script tags, event handlers (on*=), or javascript: URIs.
Restrict permissions: apply least-privilege to n8n user roles—limit workflow creation rights to a minimal set of trusted users.
Enforce CSP: configure a strict Content-Security-Policy header on the n8n host to restrict script execution sources, reducing the impact of any future XSS payload.
Monitor: review n8n audit logs for unexpected workflow creation or modification events, particularly targeting Form Trigger nodes.
Pre-patch workaround: if immediate patching is not possible, disable the Form Trigger node type in n8n settings or isolate instances serving external-facing forms from production data.

How is it classified?

Code Execution Social Engineering Data Extraction Agent Plugin AML.T0010.005 - AI Agent Tool AML.T0048.003 - User Harm AML.T0049 - Exploit Public-Facing Application AML.T0052 - Phishing

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.6.2 - AI system design and development controls

NIST AI RMF

MANAGE 2.2 - Residual risk management mechanisms

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-56358?

A stored cross-site scripting vulnerability in n8n's Form Trigger node allows any authenticated user with workflow creation rights to inject persistent malicious scripts that execute in the browsers of every visitor to the affected form. For organizations using n8n to orchestrate AI agent workflows—automating LLM-powered data collection, intake pipelines, or agentic processing—a compromised or malicious internal user can silently hijack customer-facing forms, exfiltrating submitted data or redirecting users to attacker-controlled phishing pages with no further attacker interaction required. EPSS data is unavailable and no public exploit exists, but the low-privilege requirement and the stored nature of the payload mean exploitation persists silently until patched. Upgrade to n8n ≥1.123.25 (1.x branch) or ≥2.11.2/2.12.0 (2.x branch); as an immediate workaround, restrict workflow creation permissions to trusted users only and audit all Form Trigger nodes for unexpected CSS payloads.

Is CVE-2026-56358 actively exploited?

No confirmed active exploitation of CVE-2026-56358 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-56358?

1. Patch: upgrade to n8n ≥1.123.25 (1.x) or ≥2.11.2/2.12.0 (2.x) immediately. 2. Audit Form Trigger nodes: inspect all CSS fields in existing Form Trigger workflow configurations for unexpected script tags, event handlers (on*=), or javascript: URIs. 3. Restrict permissions: apply least-privilege to n8n user roles—limit workflow creation rights to a minimal set of trusted users. 4. Enforce CSP: configure a strict Content-Security-Policy header on the n8n host to restrict script execution sources, reducing the impact of any future XSS payload. 5. Monitor: review n8n audit logs for unexpected workflow creation or modification events, particularly targeting Form Trigger nodes. 6. Pre-patch workaround: if immediate patching is not possible, disable the Form Trigger node type in n8n settings or isolate instances serving external-facing forms from production data.

What systems are affected by CVE-2026-56358?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, Workflow automation pipelines, Customer-facing AI intake forms, Multi-tenant AI orchestration platforms.

What is the CVSS score for CVE-2026-56358?

CVE-2026-56358 has a CVSS v3.1 base score of 5.4 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

AI agent frameworksWorkflow automation pipelinesCustomer-facing AI intake formsMulti-tenant AI orchestration platforms

MITRE ATLAS Techniques

AML.T0010.005 AI Agent Tool

AML.T0048.003 User Harm

AML.T0049 Exploit Public-Facing Application

AML.T0052 Phishing

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.6.2

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

n8n before 1.123.25 (1.x) and before 2.11.2 (2.x), with the fix also included in 2.12.0, contains a stored cross-site scripting vulnerability in the Form Trigger node's CSS sanitization that allows authenticated users to inject malicious scripts. Attackers with workflow creation permissions can inject XSS payloads that execute persistently for all form visitors, enabling form hijacking and phishing attacks.

Exploitation Scenario

An attacker with a legitimate n8n account—obtained via credential theft, phishing of an internal user, or insider access—creates or modifies a workflow containing a Form Trigger node. They inject a JavaScript payload into the CSS field of the form configuration, exploiting the insufficient sanitization to break out of the CSS context and embed executable script. The payload is persisted in n8n's database. When customers or employees visit the form URL to submit data to an AI processing pipeline (e.g., 'enter your query for our AI assistant'), the attacker's script executes silently in their browser, capturing all form input—including credentials, sensitive data, or LLM prompts—and exfiltrating it to an attacker-controlled endpoint. Because the payload persists in storage, all future form visitors are compromised without any further attacker interaction, providing continuous data access until the workflow is remediated.

Weaknesses (CWE)

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'): The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

[Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.
[Implementation, Architecture and Design] Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies. For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters. Parts of the same output document may require different encodings, which will vary depending on whether the output is in the: etc. Note that HTML Entity Encoding is only appropriate for the HTML body. Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types of encoding and escaping that are needed. HTML body Element attributes (such as src="XYZ") URIs JavaScript sections Casca

Source: MITRE CWE corpus.