VDB

GCVE-110-NCSC-2026-212

GCVE-110-NCSC-2026-212
Advisory PublishedCVSS 7.6/10
Vulnetix · Advisory published June 29, 2026
An authenticated user with workflow edit access in n8n versions prior to 1.123.55, 2.25.7, and 2.26.2 could exploit a Respond to Webhook node to bypass Content-Security-Policy and execute JavaScript in the n8n origin.

Weaknesses (CWE)

CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')CWE-1321Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')CWE-863Incorrect AuthorizationCWE-290Authentication Bypass by SpoofingCWE-306Missing Authentication for Critical FunctionCWE-89Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')CWE-488Exposure of Data Element to Wrong SessionCWE-409Improper Handling of Highly Compressed Data (Data Amplification)

Risk Scores

CVSS 3.1
7.6/10
High · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

Affected Products

VendorProductVersionsPlatforms
n8nvers:unknown/*

References

advisory
advisory
advisory
advisory
advisory
advisory
advisory
advisory
advisory
advisory
advisory
advisory
advisory
advisory
advisory
advisory
advisory
advisory
advisory
advisory
advisory
advisory
advisory
advisory
advisory
advisory
advisory
advisory
advisory
advisory
advisory
advisory
advisory

Browse GCVE Records

73,040 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›