CVE-2026-54312: n8n prototype pollution renders

Q: Is CVE-2026-54312 actively exploited?

No confirmed active exploitation of CVE-2026-54312 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-54312?

1. Patch: upgrade n8n to 2.24.0 or later — the definitive fix. 2. Workaround A: set environment variable NODES_EXCLUDE=n8n-nodes-base.microsoftSql to disable the vulnerable node without upgrading. 3. Workaround B: restrict workflow creation and editing rights to the smallest set of fully trusted, named users via n8n's role settings. 4. Detection: monitor application logs for 'prototype pollution' error patterns or sudden validation-failure cascades that recover only after process restart; alert on unexpected n8n process restarts in production. 5. Compensating control: place n8n behind a reverse proxy requiring additional authentication for the workflow editor UI to reduce exposure surface for compromised credentials.

Q: What systems are affected by CVE-2026-54312?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI workflow automation, data ingestion pipelines, RAG pipelines, LLM orchestration.

Q: What is the CVSS score for CVE-2026-54312?

CVE-2026-54312 has a CVSS v3.1 base score of 8.5 (HIGH). The EPSS exploitation probability is 0.04%.

CISO Take

A flaw in n8n's Microsoft SQL node lets any authenticated user with workflow-edit rights poison the global JavaScript prototype process-wide, taking down the entire n8n automation platform until an operator manually restarts it. For teams using n8n as AI agent orchestration infrastructure — chaining LLM calls, RAG pipelines, or automated security workflows — this is a single-account kill switch: one low-privilege insider or compromised credential silences every connected pipeline simultaneously with a CVSS scope-changed A:H impact (score 8.5). Although the raw EPSS probability is low (0.00043), n8n carries 105 known CVEs, an OpenSSF Scorecard of only 6.5/10, and a package risk score of 69/100, indicating a consistently weak security posture that attackers actively probe. Upgrade to n8n 2.24.0 immediately; if patching is blocked, add `n8n-nodes-base.microsoftSql` to the NODES_EXCLUDE environment variable and restrict workflow creation to fully trusted accounts as interim controls.

Sources: NVD EPSS GitHub Advisory ATLAS OpenSSF

What is the risk?

High risk for organisations running n8n as production AI orchestration. The bar to exploit is low — a single authenticated account with workflow permissions suffices, no user interaction required, network-accessible. Blast radius is maximal: prototype pollution is process-wide and immediately cascades to all in-flight workflows. Confidentiality impact is minimal (C:N) but availability is catastrophic (A:H) and scope crosses component boundaries (S:C). The 86th-percentile EPSS standing, combined with n8n's history of 105 CVEs and mediocre OpenSSF score, raises the probability of targeted exploitation in environments where n8n is internet-exposed or multi-tenant.

How does the attack unfold?

Initial Access

Attacker obtains or already holds a low-privilege n8n account with workflow creation or editing rights, acquired via credential stuffing, phishing, or a compromised service account.

AML.T0012

Exploitation

Attacker creates or edits a workflow containing the Microsoft SQL node and supplies a crafted value (e.g., a prototype-polluting key) as the table parameter, then triggers workflow execution.

AML.T0049

Persistence of Impact

The polluted Object.prototype persists for the entire lifetime of the n8n server process; all subsequent requests inherit the corrupted prototype, causing continuous application-wide validation failures.

Denial of AI Service

Every AI workflow, LLM orchestration job, and automated pipeline managed by the n8n instance becomes non-functional until an operator manually restarts the server process.

AML.T0029

Initial Access

Attacker obtains or already holds a low-privilege n8n account with workflow creation or editing rights, acquired via credential stuffing, phishing, or a compromised service account.

AML.T0012

Exploitation

Attacker creates or edits a workflow containing the Microsoft SQL node and supplies a crafted value (e.g., a prototype-polluting key) as the table parameter, then triggers workflow execution.

AML.T0049

Persistence of Impact

The polluted Object.prototype persists for the entire lifetime of the n8n server process; all subsequent requests inherit the corrupted prototype, causing continuous application-wide validation failures.

Denial of AI Service

Every AI workflow, LLM orchestration job, and automated pipeline managed by the n8n instance becomes non-functional until an operator manually restarts the server process.

AML.T0029

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	< 2.24.0	`2.24.0`
192.4K OpenSSF 6.5 Pushed 3d ago 55% patched ~2d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1

8.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 14% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Changed

C None

I Low

A High

What should I do?

5 steps

Patch: upgrade n8n to 2.24.0 or later — the definitive fix.
Workaround A: set environment variable NODES_EXCLUDE=n8n-nodes-base.microsoftSql to disable the vulnerable node without upgrading.
Workaround B: restrict workflow creation and editing rights to the smallest set of fully trusted, named users via n8n's role settings.
Detection: monitor application logs for 'prototype pollution' error patterns or sudden validation-failure cascades that recover only after process restart; alert on unexpected n8n process restarts in production.
Compensating control: place n8n behind a reverse proxy requiring additional authentication for the workflow editor UI to reduce exposure surface for compromised credentials.

How is it classified?

DoS Code Execution Agent Framework Plugin AML.T0012 - Valid Accounts AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9(5) - Risk management system — testing and evaluation

ISO 42001

A.6.2.5 - AI system availability and resilience

NIST AI RMF

MANAGE-2.2 - Responses to the AI risks deemed high priority are developed, planned, and documented

OWASP LLM Top 10

LLM02 - Insecure Plugin Design LLM10 - Unbounded Consumption

Frequently Asked Questions

What is CVE-2026-54312?

A flaw in n8n's Microsoft SQL node lets any authenticated user with workflow-edit rights poison the global JavaScript prototype process-wide, taking down the entire n8n automation platform until an operator manually restarts it. For teams using n8n as AI agent orchestration infrastructure — chaining LLM calls, RAG pipelines, or automated security workflows — this is a single-account kill switch: one low-privilege insider or compromised credential silences every connected pipeline simultaneously with a CVSS scope-changed A:H impact (score 8.5). Although the raw EPSS probability is low (0.00043), n8n carries 105 known CVEs, an OpenSSF Scorecard of only 6.5/10, and a package risk score of 69/100, indicating a consistently weak security posture that attackers actively probe. Upgrade to n8n 2.24.0 immediately; if patching is blocked, add `n8n-nodes-base.microsoftSql` to the NODES_EXCLUDE environment variable and restrict workflow creation to fully trusted accounts as interim controls.

Is CVE-2026-54312 actively exploited?

No confirmed active exploitation of CVE-2026-54312 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-54312?

1. Patch: upgrade n8n to 2.24.0 or later — the definitive fix. 2. Workaround A: set environment variable NODES_EXCLUDE=n8n-nodes-base.microsoftSql to disable the vulnerable node without upgrading. 3. Workaround B: restrict workflow creation and editing rights to the smallest set of fully trusted, named users via n8n's role settings. 4. Detection: monitor application logs for 'prototype pollution' error patterns or sudden validation-failure cascades that recover only after process restart; alert on unexpected n8n process restarts in production. 5. Compensating control: place n8n behind a reverse proxy requiring additional authentication for the workflow editor UI to reduce exposure surface for compromised credentials.

What systems are affected by CVE-2026-54312?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI workflow automation, data ingestion pipelines, RAG pipelines, LLM orchestration.

What is the CVSS score for CVE-2026-54312?

CVE-2026-54312 has a CVSS v3.1 base score of 8.5 (HIGH). The EPSS exploitation probability is 0.04%.

What is the AI security impact?

Affected AI Architectures

agent frameworksAI workflow automationdata ingestion pipelinesRAG pipelinesLLM orchestration

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0029 Denial of AI Service

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

Compliance Controls Affected

EU AI Act: Article 9(5)

ISO 42001: A.6.2.5

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM02, LLM10

What are the technical details?

Original Advisory

## Impact An authenticated user with permission to create or modify workflows could achieve global prototype pollution via the Microsoft SQL node by supplying a crafted value as the table parameter. This pollutes `Object.prototype` process-wide for the lifetime of the n8n server process, causing application-wide validation failures and rendering the n8n instance completely non-functional until restarted. ## Patches The issue has been fixed in n8n version 2.24.0. Users should upgrade to this version or later to remediate the vulnerability. ## Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Limit workflow creation and editing permissions to fully trusted users only. - Disable the Microsoft SQL node by adding `n8n-nodes-base.microsoftSql` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Exploitation Scenario

An attacker with a low-privilege n8n account — obtained through credential stuffing, phishing a developer, or compromising a CI/CD service account — navigates to the workflow editor and creates or edits any workflow that includes the Microsoft SQL node. They set the table parameter to a crafted value such as `__proto__[validationEnabled]` with a falsy payload. On workflow execution, n8n evaluates the parameter without sanitisation, overwriting a key on `Object.prototype` that the application's validation layer reads globally. From that moment, every new request to the n8n process inherits the poisoned prototype, causing validation to fail application-wide. The entire instance becomes non-functional — breaking all active AI agent automations — and remains so until an operator with server access performs a manual restart, potentially hours later in an unmonitored deployment.

Weaknesses (CWE)

CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') Primary

CWE-1321 — Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'): The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

[Implementation] By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.
[Architecture and Design] By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.

Source: MITRE CWE corpus.