CVE-2026-25054: n8n Has Stored Cross-site Scripting via Markdown Rendering in Workflow UI

February 4, 2026

A Cross-site Scripting (XSS) vulnerability existed in a markdown rendering component used in n8n’s interface, including workflow sticky notes and other areas that support markdown content.

An authenticated user with permission to create or modify workflows could abuse this to execute scripts with same-origin privileges when other users interact with a maliciously crafted workflow. This could lead to session hijacking and account takeover.

References

github.com/advisories/GHSA-qpq4-pw7f-pp8w
github.com/n8n-io/n8n
github.com/n8n-io/n8n/security/advisories/GHSA-qpq4-pw7f-pp8w
nvd.nist.gov/vuln/detail/CVE-2026-25054

Code Behaviors & Features

Detect and mitigate CVE-2026-25054 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →