CVE-2026-54309: n8n MCP browser auth bypass

Q: Is CVE-2026-54309 actively exploited?

No confirmed active exploitation of CVE-2026-54309 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-54309?

1. Upgrade n8n to version 2.25.7 or 2.26.2 immediately. 2. If patching is not possible, switch @n8n/mcp-browser from --transport http to the default stdio transport, which eliminates the vulnerable attack surface entirely. 3. If HTTP transport is operationally required, apply host-based firewall rules to restrict the MCP listening port to explicitly trusted IP addresses only. 4. Audit all n8n deployments for HTTP transport usage: grep process lists, systemd units, and startup scripts for '--transport http'. 5. Review HTTP access logs on the MCP port for any unexpected session initialization requests on affected instances. 6. Rotate session tokens for enterprise applications accessed in browsers where this configuration was active, particularly SSO/IdP tokens (Okta, Azure AD) and version control tokens (GitHub, GitLab).

Q: What systems are affected by CVE-2026-54309?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI workflow automation, browser automation pipelines, agentic AI systems, MCP tool servers.

Q: What is the CVSS score for CVE-2026-54309?

CVE-2026-54309 has a CVSS v3.1 base score of 10.0 (CRITICAL). The EPSS exploitation probability is 0.06%.

CISO Take

CVE-2026-54309 exposes a complete authentication bypass in n8n's @n8n/mcp-browser component when run with HTTP transport, allowing any unauthenticated network client—or any malicious website the user visits—to seize control of the user's real browser via MCP tool invocation. With a CVSS 10.0 score and no privileges, interaction, or complexity required (AV:N/AC:L/PR:N/UI:N/S:C), an adversary can execute arbitrary JavaScript, steal session cookies and localStorage, and navigate on behalf of the user across all authenticated sessions in the browser. While EPSS sits at 0.00057 in absolute terms, that still places this in the top 82% exploitation likelihood percentile, and the trivial exploitation path—an unauthenticated HTTP POST to the MCP endpoint—eliminates any meaningful technical barrier to abuse. Upgrade to n8n 2.25.7 or 2.26.2 immediately; if patching is not possible, disable HTTP transport and revert to the default stdio mode.

Sources: NVD GitHub Advisory EPSS ATLAS OpenSSF

What is the risk?

Maximum severity (CVSS 10.0). No authentication, no complexity, no user interaction required for exploitation over the network, with changed scope (S:C) indicating impact well beyond the vulnerable component itself. Any organization running n8n AI agent workflows with @n8n/mcp-browser in HTTP transport mode has effectively exposed the user's entire browser session—including enterprise SaaS tokens, banking credentials, and authenticated APIs—to unauthenticated remote control. The drive-by attack vector (any visited website can trigger exploitation via cross-origin requests to localhost) compounds risk significantly for developers running n8n locally, as it removes the prerequisite of network-level access entirely.

How does the attack unfold?

Initial Access

Adversary identifies @n8n/mcp-browser running with --transport http via port scanning, or positions a malicious website to make cross-origin requests to the local MCP HTTP port without any network traversal.

AML.T0049

Authentication Bypass

Adversary sends an unauthenticated MCP session initialization request to the HTTP endpoint; the server accepts it unconditionally due to CWE-306 with no credential, token, or origin validation.

AML.T0078

Browser Tool Invocation

Adversary invokes MCP browser-control tools to execute arbitrary JavaScript against the user's live browser profile and navigate to attacker-controlled infrastructure.

AML.T0053

Session Hijacking and Exfiltration

Stolen session cookies and Web Storage tokens are transmitted to the adversary, enabling account takeover across all enterprise and SaaS applications authenticated in the compromised browser.

AML.T0086

Initial Access

Adversary identifies @n8n/mcp-browser running with --transport http via port scanning, or positions a malicious website to make cross-origin requests to the local MCP HTTP port without any network traversal.

AML.T0049

Authentication Bypass

Adversary sends an unauthenticated MCP session initialization request to the HTTP endpoint; the server accepts it unconditionally due to CWE-306 with no credential, token, or origin validation.

AML.T0078

Browser Tool Invocation

Adversary invokes MCP browser-control tools to execute arbitrary JavaScript against the user's live browser profile and navigate to attacker-controlled infrastructure.

AML.T0053

Session Hijacking and Exfiltration

Stolen session cookies and Web Storage tokens are transmitted to the adversary, enabling account takeover across all enterprise and SaaS applications authenticated in the compromised browser.

AML.T0086

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	>= 2.26.0, < 2.26.2	`2.26.2`
192.4K OpenSSF 6.5 Pushed 3d ago 55% patched ~2d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1

10.0 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 18% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Changed

C High

I High

A Low

What should I do?

6 steps

Upgrade n8n to version 2.25.7 or 2.26.2 immediately.
If patching is not possible, switch @n8n/mcp-browser from --transport http to the default stdio transport, which eliminates the vulnerable attack surface entirely.
If HTTP transport is operationally required, apply host-based firewall rules to restrict the MCP listening port to explicitly trusted IP addresses only.
Audit all n8n deployments for HTTP transport usage: grep process lists, systemd units, and startup scripts for '--transport http'.
Review HTTP access logs on the MCP port for any unexpected session initialization requests on affected instances.
Rotate session tokens for enterprise applications accessed in browsers where this configuration was active, particularly SSO/IdP tokens (Okta, Azure AD) and version control tokens (GitHub, GitLab).

How is it classified?

Auth Bypass Code Execution Data Extraction Agent Plugin AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0078 - Drive-by Compromise AML.T0086 - Exfiltration via AI Agent Tool Invocation

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.6.1 - Access control for AI systems

NIST AI RMF

MANAGE 2.2 - Mechanisms to minimize AI risk occurrence and impact

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-54309?

CVE-2026-54309 exposes a complete authentication bypass in n8n's @n8n/mcp-browser component when run with HTTP transport, allowing any unauthenticated network client—or any malicious website the user visits—to seize control of the user's real browser via MCP tool invocation. With a CVSS 10.0 score and no privileges, interaction, or complexity required (AV:N/AC:L/PR:N/UI:N/S:C), an adversary can execute arbitrary JavaScript, steal session cookies and localStorage, and navigate on behalf of the user across all authenticated sessions in the browser. While EPSS sits at 0.00057 in absolute terms, that still places this in the top 82% exploitation likelihood percentile, and the trivial exploitation path—an unauthenticated HTTP POST to the MCP endpoint—eliminates any meaningful technical barrier to abuse. Upgrade to n8n 2.25.7 or 2.26.2 immediately; if patching is not possible, disable HTTP transport and revert to the default stdio mode.

Is CVE-2026-54309 actively exploited?

No confirmed active exploitation of CVE-2026-54309 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-54309?

1. Upgrade n8n to version 2.25.7 or 2.26.2 immediately. 2. If patching is not possible, switch @n8n/mcp-browser from --transport http to the default stdio transport, which eliminates the vulnerable attack surface entirely. 3. If HTTP transport is operationally required, apply host-based firewall rules to restrict the MCP listening port to explicitly trusted IP addresses only. 4. Audit all n8n deployments for HTTP transport usage: grep process lists, systemd units, and startup scripts for '--transport http'. 5. Review HTTP access logs on the MCP port for any unexpected session initialization requests on affected instances. 6. Rotate session tokens for enterprise applications accessed in browsers where this configuration was active, particularly SSO/IdP tokens (Okta, Azure AD) and version control tokens (GitHub, GitLab).

What systems are affected by CVE-2026-54309?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI workflow automation, browser automation pipelines, agentic AI systems, MCP tool servers.

What is the CVSS score for CVE-2026-54309?

CVE-2026-54309 has a CVSS v3.1 base score of 10.0 (CRITICAL). The EPSS exploitation probability is 0.06%.

What is the AI security impact?

Affected AI Architectures

agent frameworksAI workflow automationbrowser automation pipelinesagentic AI systemsMCP tool servers

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0078 Drive-by Compromise

AML.T0086 Exfiltration via AI Agent Tool Invocation

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.6.1

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

## Impact When `@n8n/mcp-browser` is run in HTTP transport mode, the MCP endpoint accepts session initialization and tool invocation requests without any authentication. Any network-reachable client, or any website visited by the user, can establish an MCP session and invoke browser-control tools. Where the n8n AI Browser Bridge extension is installed and a browser connection is active, an unauthenticated caller can access browser-control capabilities including navigation, JavaScript evaluation, and cookie and storage access against the user's real browser profile. This issue only affects instances where `@n8n/mcp-browser` is run with the HTTP transport (`--transport http`). The default transport is stdio, which is not affected. ## Patches The issue has been fixed in n8n versions 2.25.7, and 2.26.2. Users should upgrade to one of these versions or later to remediate the vulnerability. ## Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Avoid running `@n8n/mcp-browser` with the HTTP transport; use the default stdio transport instead. - If HTTP transport is required, restrict network access to the listening port to trusted clients only using host-based firewall rules. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Exploitation Scenario

An adversary identifies a developer's workstation running @n8n/mcp-browser with --transport http via port scanning (common in local AI workflow development environments). Without credentials, they send an unauthenticated POST to the MCP HTTP endpoint to initialize a session, then chain browser-control tool calls to navigate to attacker infrastructure, extract authentication cookies from live Okta and GitHub sessions, and read localStorage tokens. Alternatively, a malicious advertisement served on any website the developer visits makes a cross-origin fetch to localhost on the MCP port—silently establishing a session and exfiltrating authentication tokens with no visible browser indicator and no user interaction required. In enterprise environments where n8n runs as a shared service with HTTP transport exposed on an internal network segment, a single compromised endpoint can be weaponized to harvest credentials from all users whose browsers have the n8n Browser Bridge extension active.

Weaknesses (CWE)

CWE-306 Missing Authentication for Critical Function Primary

CWE-306 — Missing Authentication for Critical Function: The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

[Architecture and Design] Divide the software into anonymous, normal, privileged, and administrative areas. Identify which of these areas require a proven user identity, and use a centralized authentication capability. Identify all potential communication channels, or other means of interaction with the software, to ensure that all channels are appropriately protected, including those channels that are assumed to be accessible only by authorized parties. Developers sometimes perform authentication at the primary channel, but open up a secondary channel that is assumed to be private. For example, a login mechanism may be listening on one network port, but after successful authentication, it may open up a second port where it waits for the connection, but avoids authentication because it assumes that only the authenticated party will connect to the port. In general, if the software or protocol allows a single session or user state to persist across multiple connections or channels, authentication and appropriate
[Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.