CVE-2026-33749: n8n Vulnerable to XSS via Binary Data Inline HTML Rendering

An authenticated user with permission to create or modify workflows could craft a workflow that produces an HTML binary data object without a filename. The /rest/binary-data endpoint served such responses inline on the n8n origin without Content-Disposition or Content-Security-Policy headers, allowing the HTML to render in the browser with full same-origin JavaScript access.

By sending the resulting URL to a higher-privileged user, an attacker could execute JavaScript in the victim’s authenticated session, enabling exfiltration of workflows and credentials, modification of workflows, or privilege escalation to admin.