Authentication Bypass in n8n Workflow Automation Platform
CVE-2026-54309
What is CVE-2026-54309?
n8n is an open-source workflow automation platform that allows users to create workflows without extensive coding. Prior to versions 2.25.7 and 2.26.2, the @n8n/mcp-browser operated in an insecure mode using HTTP transport, enabling unauthenticated session initiations. This flaw permits any network-reachable client or malicious website to establish a session and invoke powerful browser control features without proper validation. Users of n8n who have installed the AI Browser Bridge extension and established a browser connection are particularly at risk, as this issue permits access to sensitive capabilities, including navigation, JavaScript execution, and local storage access. It's crucial for users to upgrade to the fixed versions to mitigate this vulnerability.
Affected Version(s)
n8n >= 2.26.0, < 2.26.2 < 2.26.0, 2.26.2
n8n < 2.25.7 < 2.25.7
