n8n: 16 CVEs Disclosed in Single Batch — Credential Leaks, Prototype Pollution, and Sandbox Escape

Key findings

• 16 CVEs disclosed in a single coordinated batch on June 16, 2026
• Three prototype pollution CVEs form a chain from MS SQL node to Merge node to public webhooks
• Credential bypass and cross-tenant takeover affect Dynamic Credentials EE and shared workflows
• Python sandbox escape (CVE-2026-49444) allows arbitrary code execution on task runner containers
• MCP Browser HTTP transport (CVE-2026-54309) accepts unauthenticated browser-control sessions
• All issues fixed in n8n version 2.24.0

On June 16, 2026, n8n disclosed a batch of 16 security vulnerabilities spanning multiple components of the popular workflow automation platform. The disclosures, published within a six-hour window, cover credential leakage, prototype pollution, cross-site scripting, injection flaws, sandbox escapes, and denial-of-service — making it one of the most comprehensive coordinated security updates in the project's history. All issues have been addressed in n8n version 2.24.0.

Credential and Permission Flaws

Several of the most severe bugs involve credential exposure and privilege escalation. CVE-2026-54304 (high severity) allows an authenticated user with a SecurityScorecard credential to redirect the node's report download operation to an attacker-controlled host, leaking the API token. CVE-2026-54305 (high severity) targets the Dynamic Credentials EE endpoints: any authenticated session could enumerate and take over credentials belonging to other tenants without proper ownership or scope checks. CVE-2026-54307 (high severity) describes a permission bypass where a member-level user with editor access to a shared workflow can reference credentials they do not own via public API endpoints, enabling cross-user credential exfiltration.

Prototype Pollution Chain

Three CVEs highlight a dangerous prototype pollution chain. CVE-2026-54312 (high severity) lets an authenticated user pollute Object.prototype process-wide via a crafted table parameter in the Microsoft SQL node. CVE-2026-54311 exploits the Merge node's SQL Query mode to pollute a cached sandbox context that persists across all workflow executions. CVE-2026-54306 shows how a crafted public webhook payload can inject attacker-controlled fields into workflow data during internal object copying, enabling a confused-deputy attack where downstream nodes act on attacker-supplied values.

Cross-Site Scripting (XSS)

Three distinct XSS vectors were fixed. CVE-2026-54302 (high severity) is a stored XSS in the Chat Trigger node: an attacker with workflow edit access can inject arbitrary JavaScript via a malicious webhookId, which executes in the n8n origin when a logged-in user visits the chat URL. CVE-2026-54303 is a reflected XSS in the Meta and Microsoft Teams trigger webhook verification endpoints, where a query parameter is reflected without sanitization. CVE-2026-54301 (high severity) allows a Respond to Webhook node to serve binary content with an attacker-controlled Content-Type, bypassing the CSP sandbox header to execute JavaScript in the n8n origin.

Injection and Sandbox Escape

CVE-2026-54313 describes a NoSQL injection in the MongoDB node's Find And Replace operation, where a malicious filter value can match and overwrite unintended documents. CVE-2026-54310 covers SQL injection in the TimescaleDB and legacy Postgres v1 nodes, allowing arbitrary SQL execution against the connected database. CVE-2026-49444 (high severity) is a Python sandbox escape: an authenticated user with access to a Python Code Node can achieve arbitrary code execution on the task runner container. CVE-2026-49465 lets a user bypass the N8N_RESTRICT_FILE_ACCESS_TO sandbox via the Git node's Clone and Push operations by supplying local filesystem paths.

Unauthenticated Attack Vectors

CVE-2026-54309 (high severity) affects the MCP Browser HTTP transport mode: the endpoint accepts session initialization and tool invocation requests without any authentication, allowing any network-reachable client or website to establish a browser-control session. CVE-2026-54308 covers missing token validation on the Microsoft Agent 365 Trigger and Stripe Trigger nodes, enabling unauthenticated attackers who know the webhook URL to submit forged payloads. CVE-2026-54314 is a denial-of-service via the Compression node's Decompress operation, where an unauthenticated attacker can send a small compressed archive to a public webhook workflow, causing the n8n process to terminate due to memory exhaustion.

Response and Mitigation

All 16 vulnerabilities are fixed in n8n version 2.24.0. Users are strongly advised to upgrade immediately. For instances where immediate patching is not possible, administrators should review workflow sharing settings, restrict access to the affected trigger and node types, and ensure the Python Task Runner is disabled if not required. The vendor's advisory provides full details on each CVE.

This batch underscores the complexity of securing a low-code platform where nodes interact with external services, databases, and sandboxed code execution environments. The combination of prototype pollution, credential bypasses, and unauthenticated webhook flaws means that even a single compromised workflow editor account — or a publicly exposed webhook — can cascade into full credential theft, data exfiltration, or remote code execution. n8n users should treat this update as a priority.