AI Threat Alert

CVE-2026-54311: n8n: prototype pollution leaks cross-user workflow data

GHSA-9c38-2mcm-q7f7 MEDIUM
Published June 16, 2026
CISO Take

CVE-2026-54311 is a sandbox context contamination flaw in n8n's Merge node SQL Query mode where a low-privileged authenticated user can inject JavaScript prototype mutations into a shared, cached sandbox, causing those mutations to persist across every subsequent workflow execution on the entire instance. Although CVSS scores this as medium (6.3), the vector tells a different story: Changed Scope with High Confidentiality impact means a contractor or junior analyst can silently intercept LLM outputs, RAG retrieval results, API credentials, or customer records flowing through any other user's workflows — without those users taking any action. EPSS places this in the top 82nd percentile of likely-to-be-exploited vulnerabilities, and n8n's 95 tracked CVEs signal structural security debt rather than an isolated bug. Upgrade to n8n 2.25.7 or 2.26.2 immediately; if patching is blocked, set NODES_EXCLUDE=n8n-nodes-base.merge and restrict workflow creation to fully trusted users.

Sources: NVD GitHub Advisory EPSS OpenSSF ATLAS

What is the risk?

Operationally higher than the medium CVSS label suggests. The Changed Scope (S:C) and High Confidentiality (C:H) in the CVSS vector reflect genuine cross-tenant blast radius: every user on a shared n8n instance is potentially a victim once the sandbox is poisoned. Attack Complexity is High because exploitation requires a multi-user instance with workflow creation rights, but that is the default deployment model for enterprise n8n. The attacker needs only a low-privileged account — no admin, no special tools. With no public exploit or KEV listing, near-term opportunistic exploitation is unlikely, but the technique is well within reach of any attacker familiar with JavaScript prototype pollution. Combined with 95 prior CVEs in the package and an OpenSSF Scorecard of 6.5/10, organizations should treat this as part of an elevated baseline risk for n8n-based AI agent pipelines.

How does the attack unfold?

Initial Access
Attacker authenticates to the multi-user n8n instance using a low-privileged account (contractor, junior analyst) with permission to create or modify workflows.
AML.T0012
Sandbox Poisoning
Attacker creates a workflow with a Merge node in SQL Query mode, injecting SQL that introduces JavaScript prototype mutations into the shared cached sandbox context.
AML.T0080
Persistent Context Corruption
Because the sandbox is cached and reused across all workflow executions on the instance, the prototype mutations persist and affect every subsequent Merge node SQL execution by any user without further attacker action.
AML.T0080
Cross-User Data Exfiltration
Victim users' workflow payloads — LLM responses, RAG retrieval results, API credentials, customer records — are intercepted through the corrupted prototype chain and become accessible to the attacker.
AML.T0085

What systems are affected?

Package Ecosystem Vulnerable Range Patched
n8n npm >= 2.26.0, < 2.26.2 2.26.2
192.4K OpenSSF 6.5 Pushed 2d ago 51% patched ~3d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1
6.3 / 10
EPSS
0.1%
chance of exploitation in 30 days
Higher than 18% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Moderate

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC High
PR Low
UI None
S Changed
C High
I None
A None

What should I do?

5 steps

  1. Patch immediately: upgrade to n8n 2.25.7 (2.25.x branch) or 2.26.2 (2.26.x branch).

  2. If patching is blocked: set environment variable NODES_EXCLUDE=n8n-nodes-base.merge to disable the Merge node globally; simultaneously restrict workflow creation and editing rights to fully trusted users only via n8n role management.

  3. Audit existing workflows: inspect all Merge node SQL Query mode workflows created by non-admin users for anomalous SQL or prototype-mutating patterns.

  4. Detection: correlate workflow execution logs for cross-user data appearing unexpectedly in outputs, or for unexpected Merge node activity from low-privileged accounts.

  5. For high-sensitivity deployments (LLM pipelines handling PII or credentials), isolate n8n instances per team or tenant as a structural control until patching is confirmed across all environments.

How is it classified?

Data Extraction Privacy Violation Agent Framework AML.T0012 AML.T0049 AML.T0053 AML.T0080 AML.T0085

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.4 - Security of AI system
NIST AI RMF
MANAGE 2.2 - Mechanisms to prevent or mitigate AI risks are in place
OWASP LLM Top 10
LLM02:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-54311?

CVE-2026-54311 is a sandbox context contamination flaw in n8n's Merge node SQL Query mode where a low-privileged authenticated user can inject JavaScript prototype mutations into a shared, cached sandbox, causing those mutations to persist across every subsequent workflow execution on the entire instance. Although CVSS scores this as medium (6.3), the vector tells a different story: Changed Scope with High Confidentiality impact means a contractor or junior analyst can silently intercept LLM outputs, RAG retrieval results, API credentials, or customer records flowing through any other user's workflows — without those users taking any action. EPSS places this in the top 82nd percentile of likely-to-be-exploited vulnerabilities, and n8n's 95 tracked CVEs signal structural security debt rather than an isolated bug. Upgrade to n8n 2.25.7 or 2.26.2 immediately; if patching is blocked, set NODES_EXCLUDE=n8n-nodes-base.merge and restrict workflow creation to fully trusted users.

Is CVE-2026-54311 actively exploited?

No confirmed active exploitation of CVE-2026-54311 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-54311?

1. Patch immediately: upgrade to n8n 2.25.7 (2.25.x branch) or 2.26.2 (2.26.x branch). 2. If patching is blocked: set environment variable NODES_EXCLUDE=n8n-nodes-base.merge to disable the Merge node globally; simultaneously restrict workflow creation and editing rights to fully trusted users only via n8n role management. 3. Audit existing workflows: inspect all Merge node SQL Query mode workflows created by non-admin users for anomalous SQL or prototype-mutating patterns. 4. Detection: correlate workflow execution logs for cross-user data appearing unexpectedly in outputs, or for unexpected Merge node activity from low-privileged accounts. 5. For high-sensitivity deployments (LLM pipelines handling PII or credentials), isolate n8n instances per team or tenant as a structural control until patching is confirmed across all environments.

What systems are affected by CVE-2026-54311?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, workflow automation pipelines, multi-tenant AI orchestration, LLM pipeline orchestration, RAG pipelines.

What is the CVSS score for CVE-2026-54311?

CVE-2026-54311 has a CVSS v3.1 base score of 6.3 (MEDIUM). The EPSS exploitation probability is 0.06%.

What is the AI security impact?

Affected AI Architectures

AI agent frameworksworkflow automation pipelinesmulti-tenant AI orchestrationLLM pipeline orchestrationRAG pipelines

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0049 Exploit Public-Facing Application
AML.T0053 AI Agent Tool Invocation
AML.T0080 AI Agent Context Poisoning
AML.T0085 Data from AI Services

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2.4
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM02:2025

What are the technical details?

Original Advisory

## Impact An authenticated user with permission to create or modify workflows could pollute the sandbox used by the Merge node's SQL Query mode. Because the sandbox context was cached and reused across all workflow executions on the instance, prototype mutations introduced by one user's workflow persist into subsequent Merge SQL executions belonging to other users or projects. This allowed a low-privileged attacker to intercept workflow data processed by other users on the same instance. This issue only affects multi-user n8n instances where more than one user has permission to create and execute workflows containing the Merge node in SQL Query mode. ## Patches The issue has been fixed in n8n versions 2.25.7, and 2.26.2. Users should upgrade to one of these versions or later to remediate the vulnerability. ## Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Limit workflow creation and editing permissions to fully trusted users only. - Disable the Merge node by adding `n8n-nodes-base.merge` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Exploitation Scenario

A low-privileged attacker — for example, a contractor with workflow creation rights on a shared enterprise n8n instance used for AI agent automation — creates a workflow containing a Merge node configured in SQL Query mode. The SQL payload is crafted to mutate JavaScript prototypes within the shared sandbox (e.g., overriding Object.prototype properties to redirect property accesses). Because n8n caches and reuses this sandbox context across all workflow executions on the instance, the prototype mutations persist after the attacker's workflow runs. When other users subsequently execute their own workflows containing Merge nodes — such as a security analyst running an automated CVE triage pipeline or an ops engineer processing customer data through an LLM — the corrupted prototype chain causes their workflow data to be intercepted or surfaced in attacker-accessible execution context. The attacker reviews captured payloads to extract API credentials, LLM outputs, or sensitive business records, all without any interaction from victim users beyond their routine workflow execution.

Weaknesses (CWE)

CWE-488 Exposure of Data Element to Wrong Session Primary

CWE-488 — Exposure of Data Element to Wrong Session: The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session.

  • [Architecture and Design] Protect the application's sessions from information leakage. Make sure that a session's data is not used or visible by other sessions.
  • [Testing] Use a static analysis tool to scan the code for information leakage vulnerabilities (e.g. Singleton Member Field).

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

References

Timeline

Published
June 16, 2026
Last Modified
June 16, 2026
First Seen
June 16, 2026

Related Vulnerabilities

CRITICAL CVE-2026-33663 10.0

n8n: member role steals plaintext HTTP credentials

Same package: n8n
CRITICAL CVE-2026-33660 10.0

TensorFlow: type confusion NPD in tensor conversion

Same package: n8n
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same package: n8n
CRITICAL CVE-2026-27577 9.9

n8n: Code Injection enables RCE

Same package: n8n
CRITICAL CVE-2026-27495 9.9

n8n: Code Injection enables RCE

Same package: n8n
Back to Threat Feed