CVE-2026-54313

Received Received - Intake

Authentication Bypass in n8n Workflow Automation

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description

n8n is an open source workflow automation platform. Prior to 2.24.0, an authenticated user with workflow edit access could supply a malicious filter value in the MongoDB node's Find And Replace operation. The value was not validated before being passed to MongoDB as a query filter, allowing unintended documents to be matched and overwritten with attacker-controlled content. This vulnerability is fixed in 2.24.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-23

Last Modified

2026-06-23

Generated

2026-06-23

AI Q&A

2026-06-23

EPSS Evaluated

N/A

NVD

CVE-2026-54313

EUVD

EUVD-2026-38459

Affected Vendors & Products

Vendor	Product	Version / Range
n8n-io	n8n	to 2.24.0 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Compliance Impact

This vulnerability allows an authenticated user with workflow edit access to overwrite unintended documents with attacker-controlled content due to improper validation of MongoDB query filters. Such unauthorized modification of data can lead to breaches in data integrity and confidentiality.

Because of the potential impact on data confidentiality, integrity, and availability, this vulnerability could negatively affect compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and maintaining data integrity.

Mitigations such as restricting workflow editing permissions to trusted users or disabling the vulnerable MongoDB node can help reduce the risk and support compliance efforts.

Executive Summary

CVE-2026-54313 is a NoSQL Injection vulnerability in the MongoDB Node's Find And Replace operation in n8n versions prior to 2.24.0.

An authenticated user with workflow edit access could supply a malicious filter value that was not properly validated before being passed to MongoDB as a query filter.

This allowed unintended documents to be matched and overwritten with attacker-controlled content.

The vulnerability has been fixed in n8n version 2.24.0 and later.

Impact Analysis

This vulnerability can lead to unauthorized modification of data within the MongoDB database used by n8n.

An attacker with workflow edit access could overwrite unintended documents with malicious content, potentially compromising data integrity.

The CVSS 4.0 score indicates a high impact on confidentiality, integrity, and availability of affected systems.

Temporary mitigations include restricting workflow creation and editing permissions to trusted users or disabling the MongoDB node.

Detection Guidance

Detection of this vulnerability involves identifying if an authenticated user with workflow edit access is supplying malicious filter values to the MongoDB node's Find And Replace operation in n8n versions prior to 2.24.0.

Since the vulnerability is related to NoSQL injection via unvalidated filter values, monitoring logs for unusual or unexpected query filters or unexpected document overwrites in MongoDB could help detect exploitation attempts.

No specific commands are provided in the available resources to detect this vulnerability directly.

Mitigation Strategies

Immediate mitigation steps include upgrading n8n to version 2.24.0 or later, where the vulnerability is fixed.

Restrict workflow creation and editing permissions to trusted users only.
Disable the MongoDB node by excluding it via the NODES_EXCLUDE environment variable.

Hi! I’m here to help you understand CVE-2026-54313. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-54313

Authentication Bypass in n8n Workflow Automation

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart