CVE-2026-54311 | n8n is an open source workflow automation platform. Prior to… | CVSS 6.0 MEDIUM

Description

n8n is an open source workflow automation platform. Prior to 2.25.7 and 2.26.2, an authenticated user with permission to create or modify workflows could pollute the sandbox used by the Merge node's SQL Query mode. Because the sandbox context was cached and reused across all workflow executions on the instance, prototype mutations introduced by one user's workflow persist into subsequent Merge SQL executions belonging to other users or projects. This allowed a low-privileged attacker to intercept workflow data processed by other users on the same instance. This issue only affects multi-user n8n instances where more than one user has permission to create and execute workflows containing the Merge node in SQL Query mode. This vulnerability is fixed in 2.25.7 and 2.26.2.

Metadata

CVE ID: CVE-2026-54311
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-12 18:42 UTC
Published: 2026-06-23 15:41 UTC
Last updated: 2026-06-23 17:45 UTC
Primary CWE: CWE-488
CWE-488: Exposure of Data Element to Wrong Session
Vendor / Product: n8n-io / n8n
Sources: cve.org · NVD

Severity & Metrics

6.0 MEDIUM CVSS 4.0

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
n8n-io	n8n	—	>= 2.26.0, < 2.26.2, < 2.25.7

Weakness (CWE)

CWE	Source	Description
CWE-488	cna	CWE-488: Exposure of Data Element to Wrong Session

CVSS scores (1)

Score	Severity	Version	Source	Vector
6.0	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N

References (1)

https://github.com/n8n-io/n8n/security/advisories/GHSA-9c38-2mcm-q7f7 https://github.com/n8n-io/n8n/security/advisories/GHSA-9c38-2mcm-q7f7