Authentication Bypass in n8n Workflow Automation Platform
CVE-2026-54309

8.8HIGH

Key Information:

Vendor

N8n-io

Status
Vendor
CVE Published:
23 June 2026

What is CVE-2026-54309?

n8n is an open-source workflow automation platform that allows users to create workflows without extensive coding. Prior to versions 2.25.7 and 2.26.2, the @n8n/mcp-browser operated in an insecure mode using HTTP transport, enabling unauthenticated session initiations. This flaw permits any network-reachable client or malicious website to establish a session and invoke powerful browser control features without proper validation. Users of n8n who have installed the AI Browser Bridge extension and established a browser connection are particularly at risk, as this issue permits access to sensitive capabilities, including navigation, JavaScript execution, and local storage access. It's crucial for users to upgrade to the fixed versions to mitigate this vulnerability.

Affected Version(s)

n8n >= 2.26.0, < 2.26.2 < 2.26.0, 2.26.2

n8n < 2.25.7 < 2.25.7

References

CVSS V4

Score:
8.8
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.