CVE-2026-54312
Received Received - Intake
Global Prototype Pollution in n8n Workflow Automation

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
n8n is an open source workflow automation platform. Prior to 2.24.0, an authenticated user with permission to create or modify workflows could achieve global prototype pollution via the Microsoft SQL node by supplying a crafted value as the table parameter. This pollutes Object.prototype process-wide for the lifetime of the n8n server process, causing application-wide validation failures and rendering the n8n instance completely non-functional until restarted. This vulnerability is fixed in 2.24.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-54312
EUVD
EUVD-2026-38461
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
n8n n8n to 2.24.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The primary mitigation is to upgrade n8n to version 2.24.0 or later, where this vulnerability is fixed.

As temporary mitigations before upgrading, you can:

  • Restrict workflow editing permissions to trusted users only.
  • Disable the Microsoft SQL node by setting the NODES_EXCLUDE environment variable to exclude it.
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-54312 is a prototype pollution vulnerability in the Microsoft SQL node of n8n, an open-source workflow automation platform.

Before version 2.24.0, an authenticated user who has permission to create or modify workflows could exploit this vulnerability by supplying a crafted value to the table parameter.

This crafted input causes global prototype pollution, which means the Object.prototype is polluted process-wide for the lifetime of the n8n server process.

As a result, this leads to application-wide validation failures and makes the entire n8n instance completely non-functional until the server is restarted.

The vulnerability is fixed in n8n version 2.24.0.

Impact Analysis

This vulnerability can cause the entire n8n instance to become non-functional due to global prototype pollution.

Specifically, the pollution causes widespread validation failures across the application, disrupting normal operations.

Since the issue persists for the lifetime of the server process, the only way to restore functionality is to restart the n8n server.

An attacker only needs authenticated access with permissions to create or modify workflows, which may be a low privilege level in some environments.

Detection Guidance

This vulnerability manifests as application-wide validation failures and causes the n8n instance to become completely non-functional until the server process is restarted.

Detection involves monitoring for unexpected validation errors or service disruptions in the n8n workflow automation platform, especially if the Microsoft SQL node is in use.

Since the vulnerability requires an authenticated user with workflow creation or modification permissions to supply a crafted value to the table parameter, reviewing workflow creation/modification logs for suspicious or unexpected table parameter values can help detect exploitation attempts.

No specific commands are provided in the available resources for direct detection.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54312. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart