CVE-2026-54306
Awaiting Analysis Awaiting Analysis - Queue
Prototype Pollution in n8n Workflow Automation

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
n8n is an open source workflow automation platform. Prior to 2.25.7 and 2.26.2, a prototype pollution vulnerability allowed a crafted public webhook payload to inject attacker-controlled fields into workflow data during internal object copying. These fields could be surfaced and consumed as normal values by downstream built-in nodes. Where a workflow combines a public webhook with action nodes that consume the resulting fields, an attacker could cause the workflow to act as a confused deputy β€” targeting unintended records or issuing outbound requests using the workflow owner's configured credentials. This vulnerability is fixed in 2.25.7 and 2.26.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-54306
EUVD
EUVD-2026-38474
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
n8n n8n to 2.25.7|end_excluding=2.26.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

Immediate mitigation steps include upgrading n8n to version 2.25.7 or 2.26.2 where the vulnerability is fixed.

Until you can upgrade, avoid using unauthenticated public webhooks that pass data through transform nodes into sensitive action nodes.

Additionally, restrict workflow creation permissions to trusted users only to reduce the risk of exploitation.

Executive Summary

CVE-2026-54306 is a prototype pollution vulnerability in the open-source workflow automation platform n8n. It affects versions prior to 2.25.7 and 2.26.2. An attacker can craft a malicious public webhook payload that injects attacker-controlled fields into the workflow data during internal object copying. These injected fields can then be used by downstream built-in nodes as if they were normal data.

This allows the attacker to manipulate the workflow into acting as a confused deputy, meaning the workflow could perform unintended actions such as targeting unintended records or issuing outbound requests using the workflow owner's configured credentials.

The vulnerability has been fixed in versions 2.25.7 and 2.26.2.

Impact Analysis

This vulnerability can allow an attacker to manipulate workflows to perform unauthorized actions by injecting malicious data through public webhooks. Specifically, the attacker could cause the workflow to act as a confused deputy, potentially targeting unintended records or making outbound requests using the workflow owner's credentials.

Such actions could lead to data manipulation, unauthorized access, or misuse of the workflow owner's privileges, which could compromise the integrity and security of your automated processes.

Detection Guidance

Detection of this vulnerability involves identifying if your n8n workflows use public webhooks that accept unauthenticated payloads which are then passed through transform nodes into sensitive action nodes. Monitoring for unusual or unexpected fields in workflow data that could indicate prototype pollution attempts is also important.

Since the vulnerability involves crafted webhook payloads, you can inspect incoming webhook requests for suspicious or unexpected JSON fields that attempt to modify object prototypes.

Specific commands are not provided in the resources, but general approaches include:

  • Using network monitoring tools (e.g., tcpdump, Wireshark) to capture and analyze webhook traffic for suspicious payloads.
  • Reviewing n8n workflow configurations to identify public webhooks that accept unauthenticated input.
  • Using log analysis commands (e.g., grep) to search for unusual fields or errors in n8n logs related to workflow data processing.
Compliance Impact

The vulnerability allows an attacker to inject malicious fields into workflow data and potentially cause workflows to perform unintended actions using the workflow owner's credentials. This could lead to unauthorized access or manipulation of sensitive data.

Such unauthorized actions and potential data exposure could negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require strict controls over data access and processing.

Mitigations include upgrading to patched versions and restricting workflow creation permissions, which are important steps to maintain compliance by preventing unauthorized data manipulation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54306. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart