CVE-2026-54313: n8n MongoDB query injection

Q: Is CVE-2026-54313 actively exploited?

No confirmed active exploitation of CVE-2026-54313 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-54313?

1. PATCH: Upgrade n8n to version 2.24.0 or later immediately—this is the only full remediation. 2. WORKAROUND: If patching is not immediately feasible, disable the MongoDB node by adding n8n-nodes-base.mongoDb to the NODES_EXCLUDE environment variable and restart n8n. 3. ACCESS CONTROL: Audit and immediately restrict workflow creation and editing permissions to fully trusted users only; revoke workflow edit access from shared service accounts and automation identities. 4. DETECTION: Enable MongoDB audit logging and alert on unexpected bulk-update operations or find-and-replace queries originating from the n8n service account, particularly those using broad filter operators (empty filters, $exists, $ne). 5. INTEGRITY VALIDATION: Inspect MongoDB collections managed by n8n workflows for unexpected document modifications, especially any collections feeding AI/ML pipelines, RAG indexes, or agent memory stores—prioritize collections modified in the 30 days prior to patching.

Q: What systems are affected by CVE-2026-54313?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, RAG pipelines, LLM workflow automation, Data ingestion pipelines, Agent memory stores.

Q: What is the CVSS score for CVE-2026-54313?

CVE-2026-54313 has a CVSS v3.1 base score of 7.7 (HIGH). The EPSS exploitation probability is 0.04%.

CISO Take

n8n's MongoDB integration node fails to validate filter inputs in its Find And Replace operation, allowing any authenticated user with workflow edit permissions to craft queries that match and overwrite unintended documents across your entire MongoDB instance. At CVSS 7.7 with Scope:Changed, a single compromised low-privilege account—insider threat or phished credential—can corrupt data far beyond the intended workflow scope, with high integrity impact across any collection the n8n service account can reach. With 95 known CVEs in this package already and an EPSS in the 88th percentile, n8n is a persistently high-risk component in AI automation stacks, particularly dangerous when it mediates RAG data ingestion or agent memory stores. Upgrade to n8n 2.24.0 immediately; if patching is not feasible, exclude the MongoDB node via NODES_EXCLUDE=n8n-nodes-base.mongoDb and audit recent workflow executions for anomalous bulk-update patterns in MongoDB.

Sources: NVD GitHub Advisory EPSS OpenSSF ATLAS

What is the risk?

HIGH. CVSS 7.7 with Scope:Changed amplifies the blast radius beyond the n8n application itself—any MongoDB collection reachable by the n8n service account is in scope for arbitrary overwrite. The low privilege requirement (any authenticated workflow editor) and network-accessible attack vector mean compromised SSO accounts, disgruntled employees, or supply-chain-compromised credentials are all viable threat actors. The 88th percentile EPSS reflects elevated exploitation likelihood relative to the broader CVE population. n8n is increasingly embedded in AI agent pipelines and LLM workflow automation stacks, making it a high-value target for adversaries seeking to corrupt agent memory, RAG knowledge bases, or operational databases without triggering traditional security controls.

How does the attack unfold?

Initial Access

Attacker authenticates to n8n using valid credentials with workflow edit permissions, obtained via phishing, credential stuffing, or insider access.

AML.T0012

Tool Abuse

Attacker edits a workflow containing a MongoDB node and supplies a malicious filter value (e.g., empty filter {}) in the Find And Replace operation, bypassing application-level query scoping.

AML.T0053

Data Corruption

The unsanitized filter matches unintended documents across the entire MongoDB collection, overwriting them with attacker-controlled content at scale.

AML.T0101

AI Pipeline Poisoning

Corrupted records propagate silently into downstream AI components—RAG knowledge bases, agent memory stores, or LLM input queues—degrading AI system integrity on next retrieval.

AML.T0099

Initial Access

Attacker authenticates to n8n using valid credentials with workflow edit permissions, obtained via phishing, credential stuffing, or insider access.

AML.T0012

Tool Abuse

Attacker edits a workflow containing a MongoDB node and supplies a malicious filter value (e.g., empty filter {}) in the Find And Replace operation, bypassing application-level query scoping.

AML.T0053

Data Corruption

The unsanitized filter matches unintended documents across the entire MongoDB collection, overwriting them with attacker-controlled content at scale.

AML.T0101

AI Pipeline Poisoning

Corrupted records propagate silently into downstream AI components—RAG knowledge bases, agent memory stores, or LLM input queues—degrading AI system integrity on next retrieval.

AML.T0099

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	< 2.24.0	`2.24.0`
192.4K OpenSSF 6.5 Pushed 2d ago 51% patched ~3d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1

7.7 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 12% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Changed

C None

I High

A None

What should I do?

5 steps

PATCH

Upgrade n8n to version 2.24.0 or later immediately—this is the only full remediation.
WORKAROUND

If patching is not immediately feasible, disable the MongoDB node by adding n8n-nodes-base.mongoDb to the NODES_EXCLUDE environment variable and restart n8n.
ACCESS CONTROL

Audit and immediately restrict workflow creation and editing permissions to fully trusted users only; revoke workflow edit access from shared service accounts and automation identities.
DETECTION

Enable MongoDB audit logging and alert on unexpected bulk-update operations or find-and-replace queries originating from the n8n service account, particularly those using broad filter operators (empty filters, $exists, $ne).
INTEGRITY VALIDATION

Inspect MongoDB collections managed by n8n workflows for unexpected document modifications, especially any collections feeding AI/ML pipelines, RAG indexes, or agent memory stores—prioritize collections modified in the 30 days prior to patching.

How is it classified?

Auth Bypass Model Poisoning Data Leakage Agent Plugin RAG AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0099 - AI Agent Tool Data Poisoning AML.T0101 - Data Destruction via AI Agent Tool Invocation

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.6.2.5 - AI system data integrity controls

NIST AI RMF

MANAGE 2.2 - Mechanisms to respond to AI risks

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-54313?

n8n's MongoDB integration node fails to validate filter inputs in its Find And Replace operation, allowing any authenticated user with workflow edit permissions to craft queries that match and overwrite unintended documents across your entire MongoDB instance. At CVSS 7.7 with Scope:Changed, a single compromised low-privilege account—insider threat or phished credential—can corrupt data far beyond the intended workflow scope, with high integrity impact across any collection the n8n service account can reach. With 95 known CVEs in this package already and an EPSS in the 88th percentile, n8n is a persistently high-risk component in AI automation stacks, particularly dangerous when it mediates RAG data ingestion or agent memory stores. Upgrade to n8n 2.24.0 immediately; if patching is not feasible, exclude the MongoDB node via NODES_EXCLUDE=n8n-nodes-base.mongoDb and audit recent workflow executions for anomalous bulk-update patterns in MongoDB.

Is CVE-2026-54313 actively exploited?

No confirmed active exploitation of CVE-2026-54313 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-54313?

1. PATCH: Upgrade n8n to version 2.24.0 or later immediately—this is the only full remediation. 2. WORKAROUND: If patching is not immediately feasible, disable the MongoDB node by adding n8n-nodes-base.mongoDb to the NODES_EXCLUDE environment variable and restart n8n. 3. ACCESS CONTROL: Audit and immediately restrict workflow creation and editing permissions to fully trusted users only; revoke workflow edit access from shared service accounts and automation identities. 4. DETECTION: Enable MongoDB audit logging and alert on unexpected bulk-update operations or find-and-replace queries originating from the n8n service account, particularly those using broad filter operators (empty filters, $exists, $ne). 5. INTEGRITY VALIDATION: Inspect MongoDB collections managed by n8n workflows for unexpected document modifications, especially any collections feeding AI/ML pipelines, RAG indexes, or agent memory stores—prioritize collections modified in the 30 days prior to patching.

What systems are affected by CVE-2026-54313?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, RAG pipelines, LLM workflow automation, Data ingestion pipelines, Agent memory stores.

What is the CVSS score for CVE-2026-54313?

CVE-2026-54313 has a CVSS v3.1 base score of 7.7 (HIGH). The EPSS exploitation probability is 0.04%.

What is the AI security impact?

Affected AI Architectures

AI agent frameworksRAG pipelinesLLM workflow automationData ingestion pipelinesAgent memory stores

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0099 AI Agent Tool Data Poisoning

AML.T0101 Data Destruction via AI Agent Tool Invocation

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.6.2.5

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

## Impact An authenticated user with workflow edit access could supply a malicious filter value in the MongoDB node's Find And Replace operation. The value was not validated before being passed to MongoDB as a query filter, allowing unintended documents to be matched and overwritten with attacker-controlled content. ## Patches The issue has been fixed in n8n version 2.24.0. Users should upgrade to this version or later to remediate the vulnerability. ## Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Limit workflow creation and editing permissions to fully trusted users only. - Disable the MongoDB node by adding `n8n-nodes-base.mongoDb` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Exploitation Scenario

An attacker with stolen or insider n8n credentials holding workflow edit permissions navigates to an existing workflow containing a MongoDB Find And Replace node. Rather than supplying the intended scoped filter (e.g., {"status": "pending", "tenant_id": "acme"}), the attacker injects a MongoDB query operator such as an empty object {} or {"_id": {"$exists": true}} that matches the entire target collection. They set the replacement document to attacker-controlled content—for example, injecting adversarial prompt payloads into a field that feeds an LLM's system context on the next RAG retrieval, zeroing out critical operational records, or replacing chunk content in an AI knowledge base with disinformation. The operation executes silently under the guise of a legitimate workflow run, leaves minimal forensic trace in n8n's own logs, and the corruption propagates to downstream AI components on their next retrieval cycle.

Weaknesses (CWE)

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Primary

CWE-89 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

[Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. For example, consider using persistence layers such as Hibernate or Enterprise Java Beans, which can provide significant protection against SQL injection if used properly.
[Architecture and Design] If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated. Process SQL queries using prepared statements, parameterized queries, or stored procedures. These features should accept parameters or variables and support strong typing. Do not dynamically construct and execute query strings within these features using "exec" or similar functionality, since this may re-introduce the possibility of SQL injection. [REF-867]

Source: MITRE CWE corpus.