Prototype Pollution Vulnerability in n8n Workflow Automation Platform
CVE-2026-54306

6.3MEDIUM

Key Information:

Vendor: N8n-io
Status: N8n
Vendor: CVE Published:; 23 June 2026

What is CVE-2026-54306?

n8n, an open-source workflow automation platform, is susceptible to a prototype pollution vulnerability that impacts versions before 2.25.7 and 2.26.2. This vulnerability arises from the handling of crafted public webhook payloads, enabling attackers to inject fields that they control into the internal workflow data. As these fields are integrated and processed by downstream built-in nodes, they could allow an attacker to manipulate the workflow into acting as a confused deputy. This could ultimately lead to unauthorized access to sensitive records or the execution of outbound requests through the workflow owner's credentials. The issue has been addressed in subsequent versions to safeguard users against such threats.

Affected Version(s)

n8n >= 2.26.0, < 2.26.2 < 2.26.0, 2.26.2

n8n < 2.25.7 < 2.25.7

References

https://github.com/n8n-io/n8n/security/advisories/GHSA-2v...

x_refsource_CONFIRM

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2026
Vulnerability Reserved
Jun 12, 2026

CVE-2026-54306 Data

JSON

N8n-io

What is CVE-2026-54306?

Affected Version(s)

References

CVSS V4

Timeline