CVE-2026-54306: n8n webhook prototype pollution

Q: Is CVE-2026-54306 actively exploited?

No confirmed active exploitation of CVE-2026-54306 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-54306?

1. PATCH: Upgrade n8n to 2.25.7 or 2.26.2 immediately — both versions correct the internal object-copy logic to prevent prototype chain pollution. 2. WORKAROUND (if patching is delayed): Disable or convert all public (unauthenticated) webhook endpoints that feed into action nodes with sensitive credentials or database write permissions; switch to authenticated webhooks wherever possible. 3. LEAST PRIVILEGE: Scope all n8n workflow credentials to the minimum permissions required — limit API key scopes, restrict DB users to specific tables/operations — so a confused-deputy exploitation has limited blast radius. 4. AUDIT: Enumerate all workflows matching the pattern 'public webhook → transform node → credential-bearing action node' and treat them as highest priority for patching or disabling. 5. DETECT: Monitor n8n process and application logs for anomalous action node executions — unexpected target URLs, unusual record IDs, or spikes in outbound API calls from webhook-triggered workflows are indicators of exploitation.

Q: What systems are affected by CVE-2026-54306?

This vulnerability affects the following AI/ML architecture patterns: AI agent orchestration platforms, Workflow automation with AI/LLM action nodes, Multi-step agentic pipelines with external tool integrations, Data enrichment pipelines with public webhook ingestion, No-code AI workflow builders with credential-bearing action nodes.

Q: What is the CVSS score for CVE-2026-54306?

CVE-2026-54306 has a CVSS v3.1 base score of 5.4 (MEDIUM). The EPSS exploitation probability is 0.05%.

CISO Take

n8n's public webhook handler contains a prototype pollution flaw (CWE-1321) that allows unauthenticated attackers to inject arbitrary fields into workflow execution data by crafting a malicious HTTP payload — no credentials required. When these workflows chain a public webhook to action nodes such as database writes, outbound API calls, or third-party integrations, the injected fields propagate as trusted workflow data, causing the pipeline to act as a confused deputy: executing operations against attacker-chosen targets using the workflow owner's pre-configured credentials. Despite a moderate CVSS score of 5.4 (High Complexity), this CVE lands in the top 85th EPSS percentile, and n8n's track record of 95 prior CVEs in the same package signals sustained and aggressive security researcher attention. Patch immediately to n8n 2.25.7 or 2.26.2; as an interim workaround, disable or restrict all public (unauthenticated) webhook workflows that connect to action nodes with privileged or sensitive credentials.

Sources: NVD GitHub Advisory EPSS OpenSSF ATLAS

What is the risk?

Real-world risk materially exceeds the CVSS 5.4 rating. The confused-deputy pattern means an attacker co-opts the workflow owner's already-configured API keys, DB connections, and OAuth tokens without ever needing to exfiltrate them directly. Attack complexity is rated High due to the requirement to understand the target's workflow topology, but n8n's public webhook surface is by design internet-exposed, significantly lowering the reconnaissance bar. No public exploit or CISA KEV listing exists at time of analysis, yet the top-85th-percentile EPSS score and 95 prior CVEs in this package indicate a well-researched target with active security community focus. AI and ML teams using n8n to orchestrate agentic pipelines — LLM calls, vector DB operations, data enrichment — face elevated risk for any workflow that accepts untrusted input via a public webhook.

How does the attack unfold?

Initial Access

Attacker sends a crafted HTTP POST to an n8n public (unauthenticated) webhook endpoint, embedding prototype pollution payloads such as '__proto__' or 'constructor.prototype' keys with attacker-controlled values in the JSON body.

AML.T0049

Prototype Pollution

n8n's internal object-copy routine spreads the attacker's malicious keys onto the workflow execution data object, injecting attacker-controlled fields into the JavaScript prototype chain so they appear as legitimate workflow variables to downstream nodes.

Confused Deputy Execution

Downstream action nodes (HTTP Request, database, LLM, or API nodes) consume the poisoned fields as trusted workflow data, executing operations against attacker-chosen targets — URLs, record IDs, API parameters — using the workflow owner's pre-configured credentials.

AML.T0053

Impact

Attacker achieves proxy-authenticated access to all services the n8n workflow is credentialed for — CRMs, LLM APIs, vector databases, internal services — enabling unauthorized data writes, exfiltration, or downstream service abuse charged to the workflow owner.

AML.T0086

Initial Access

Attacker sends a crafted HTTP POST to an n8n public (unauthenticated) webhook endpoint, embedding prototype pollution payloads such as '__proto__' or 'constructor.prototype' keys with attacker-controlled values in the JSON body.

AML.T0049

Prototype Pollution

n8n's internal object-copy routine spreads the attacker's malicious keys onto the workflow execution data object, injecting attacker-controlled fields into the JavaScript prototype chain so they appear as legitimate workflow variables to downstream nodes.

Confused Deputy Execution

Downstream action nodes (HTTP Request, database, LLM, or API nodes) consume the poisoned fields as trusted workflow data, executing operations against attacker-chosen targets — URLs, record IDs, API parameters — using the workflow owner's pre-configured credentials.

AML.T0053

Impact

Attacker achieves proxy-authenticated access to all services the n8n workflow is credentialed for — CRMs, LLM APIs, vector databases, internal services — enabling unauthorized data writes, exfiltration, or downstream service abuse charged to the workflow owner.

AML.T0086

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	>= 2.26.0, < 2.26.2	`2.26.2`
192.4K OpenSSF 6.5 Pushed 2d ago 51% patched ~3d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1

5.4 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 15% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC High

PR None

UI None

S Changed

C Low

I Low

A None

What should I do?

5 steps

PATCH

Upgrade n8n to 2.25.7 or 2.26.2 immediately — both versions correct the internal object-copy logic to prevent prototype chain pollution.
WORKAROUND (if patching is delayed): Disable or convert all public (unauthenticated) webhook endpoints that feed into action nodes with sensitive credentials or database write permissions; switch to authenticated webhooks wherever possible.
LEAST PRIVILEGE

Scope all n8n workflow credentials to the minimum permissions required — limit API key scopes, restrict DB users to specific tables/operations — so a confused-deputy exploitation has limited blast radius.
AUDIT

Enumerate all workflows matching the pattern 'public webhook → transform node → credential-bearing action node' and treat them as highest priority for patching or disabling.
DETECT

Monitor n8n process and application logs for anomalous action node executions — unexpected target URLs, unusual record IDs, or spikes in outbound API calls from webhook-triggered workflows are indicators of exploitation.

How is it classified?

Auth Bypass Data Leakage Code Execution Agent Framework Plugin AML.T0048 - External Harms AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0083 - Credentials from AI Agent Configuration AML.T0086 - Exfiltration via AI Agent Tool Invocation

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.4 - AI System Security

NIST AI RMF

MANAGE 2.2 - Risk treatment and response

OWASP LLM Top 10

LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-54306?

n8n's public webhook handler contains a prototype pollution flaw (CWE-1321) that allows unauthenticated attackers to inject arbitrary fields into workflow execution data by crafting a malicious HTTP payload — no credentials required. When these workflows chain a public webhook to action nodes such as database writes, outbound API calls, or third-party integrations, the injected fields propagate as trusted workflow data, causing the pipeline to act as a confused deputy: executing operations against attacker-chosen targets using the workflow owner's pre-configured credentials. Despite a moderate CVSS score of 5.4 (High Complexity), this CVE lands in the top 85th EPSS percentile, and n8n's track record of 95 prior CVEs in the same package signals sustained and aggressive security researcher attention. Patch immediately to n8n 2.25.7 or 2.26.2; as an interim workaround, disable or restrict all public (unauthenticated) webhook workflows that connect to action nodes with privileged or sensitive credentials.

Is CVE-2026-54306 actively exploited?

No confirmed active exploitation of CVE-2026-54306 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-54306?

1. PATCH: Upgrade n8n to 2.25.7 or 2.26.2 immediately — both versions correct the internal object-copy logic to prevent prototype chain pollution. 2. WORKAROUND (if patching is delayed): Disable or convert all public (unauthenticated) webhook endpoints that feed into action nodes with sensitive credentials or database write permissions; switch to authenticated webhooks wherever possible. 3. LEAST PRIVILEGE: Scope all n8n workflow credentials to the minimum permissions required — limit API key scopes, restrict DB users to specific tables/operations — so a confused-deputy exploitation has limited blast radius. 4. AUDIT: Enumerate all workflows matching the pattern 'public webhook → transform node → credential-bearing action node' and treat them as highest priority for patching or disabling. 5. DETECT: Monitor n8n process and application logs for anomalous action node executions — unexpected target URLs, unusual record IDs, or spikes in outbound API calls from webhook-triggered workflows are indicators of exploitation.

What systems are affected by CVE-2026-54306?

This vulnerability affects the following AI/ML architecture patterns: AI agent orchestration platforms, Workflow automation with AI/LLM action nodes, Multi-step agentic pipelines with external tool integrations, Data enrichment pipelines with public webhook ingestion, No-code AI workflow builders with credential-bearing action nodes.

What is the CVSS score for CVE-2026-54306?

CVE-2026-54306 has a CVSS v3.1 base score of 5.4 (MEDIUM). The EPSS exploitation probability is 0.05%.

What is the AI security impact?

Affected AI Architectures

AI agent orchestration platformsWorkflow automation with AI/LLM action nodesMulti-step agentic pipelines with external tool integrationsData enrichment pipelines with public webhook ingestionNo-code AI workflow builders with credential-bearing action nodes

MITRE ATLAS Techniques

AML.T0048 External Harms

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0083 Credentials from AI Agent Configuration

AML.T0086 Exfiltration via AI Agent Tool Invocation

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: 8.4

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

## Impact A prototype pollution vulnerability allowed a crafted public webhook payload to inject attacker-controlled fields into workflow data during internal object copying. These fields could be surfaced and consumed as normal values by downstream built-in nodes. Where a workflow combines a public webhook with action nodes that consume the resulting fields, an attacker could cause the workflow to act as a confused deputy — targeting unintended records or issuing outbound requests using the workflow owner's configured credentials. ## Patches The issue has been fixed in n8n versions 2.25.7, and 2.26.2. Users should upgrade to one of these versions or later to remediate the vulnerability. ## Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Avoid exposing public (unauthenticated) webhook workflows that pass incoming data through transform nodes into action nodes with sensitive credentials or database operations. - Limit workflow creation and editing permissions to fully trusted users only. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Exploitation Scenario

An adversary identifies an organization's n8n instance hosting a publicly accessible webhook-triggered workflow that enriches incoming data and writes results to a CRM or triggers Slack notifications using the workflow owner's OAuth credentials. The adversary sends a crafted HTTP POST to the public webhook endpoint with a JSON body containing prototype pollution payloads — e.g., keys named '__proto__' or 'constructor.prototype' with attacker-controlled values. During n8n's internal object spread and copy operations, these keys pollute the JavaScript prototype chain on the workflow's execution data object. Downstream transform nodes surface the injected fields as legitimate data. An HTTP Request or database action node then consumes the poisoned field as a target URL, record ID, or API parameter, and executes the operation using the workflow owner's configured credentials. The attacker achieves proxy-authenticated access to integrated services — CRMs, LLM APIs, vector databases — without ever obtaining credentials directly and without leaving obvious authentication traces.

Weaknesses (CWE)

CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') Primary

CWE-1321 — Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'): The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

[Implementation] By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.
[Architecture and Design] By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.

Source: MITRE CWE corpus.