n8n: Merge Node SQL Mode Prototype Pollution
Description
Authenticated users with workflow permissions can pollute the Merge node's cached sandbox, allowing low-privileged attackers to intercept data from other users on multi-tenant n8n instances.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated users with workflow permissions can pollute the Merge node's cached sandbox, allowing low-privileged attackers to intercept data from other users on multi-tenant n8n instances.
Vulnerability
The Merge node's SQL Query mode in n8n uses a sandbox context that is cached and reused across all workflow executions on the same instance. In versions prior to 2.25.7 and 2.26.2, an authenticated user with permission to create or modify workflows can introduce prototype mutations into this cached sandbox. These mutations persist for subsequent executions of the Merge node in SQL Query mode, even those belonging to other users or projects. This issue only affects multi-tenant n8n instances where more than one user has permission to create and execute workflows containing the Merge node in SQL Query mode [1][2].
Exploitation
An attacker needs a valid account on a multi-user n8n instance and the ability to create or modify workflows that include the Merge node in SQL Query mode. The attacker crafts a workflow that injects prototype pollution into the shared sandbox context. When any other user on the same instance subsequently executes a workflow using the Merge node's SQL Query mode, the polluted sandbox is reused, and the attacker can observe or alter the data processed [1][2].
Impact
A successful attack allows the low-privileged attacker to intercept workflow data processed by other users on the same n8n instance. This leads to unauthorized disclosure of sensitive information processed by Merge SQL queries. The vulnerability does not directly provide code execution or allow data modification, but the confidentiality impact is high due to the potential for inter-user data leakage [1][2].
Mitigation
The vulnerability has been fixed in n8n versions 2.25.7 and 2.26.2. Users should upgrade to one of these versions or later to fully remediate the issue [1][2]. If immediate upgrade is not possible, administrators can temporarily limit workflow creation and editing permissions to fully trusted users only, or disable the Merge node by adding n8n-nodes-base.merge to the NODES_EXCLUDE environment variable. These workarounds do not fully remediate the risk and should only be used as short-term measures [1][2].
AI Insight generated on Jun 16, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2News mentions
0No linked articles in our index yet.