CVE-2026-25051: n8n's Improper CSP Enforcement in Webhook Responses May Allow Stored XSS
A Cross-site Scripting (XSS) vulnerability has been identified in the handling of webhook responses and related HTTP endpoints. Under certain conditions, the Content Security Policy (CSP) sandbox protection intended to isolate HTML responses may not be applied correctly.
An authenticated user with permission to create or modify workflows could abuse this to execute malicious scripts with same-origin privileges when other users interact with the crafted workflow. This could lead to session hijacking and account takeover.
References
- github.com/advisories/GHSA-825q-w924-xhgx
- github.com/n8n-io/n8n
- github.com/n8n-io/n8n/commit/ced34c0f93ab4c759a56065965986094d8ef7323
- github.com/n8n-io/n8n/commit/e8cf4d6bb3af94dc296cbb67bc3dd20e9b508ac9
- github.com/n8n-io/n8n/security/advisories/GHSA-825q-w924-xhgx
- nvd.nist.gov/vuln/detail/CVE-2026-25051
Code Behaviors & Features
Detect and mitigate CVE-2026-25051 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →