CVE-2026-54306 n8n-io CVE debrief

Who should care

Users of n8n workflow automation platform, especially those using public webhooks with action nodes that consume resulting fields, should be aware of this vulnerability. Security teams and administrators responsible for n8n deployments should prioritize patching to prevent potential exploitation.

Technical summary

The vulnerability exists in n8n versions prior to 2.25.7 and 2.26.2. A crafted public webhook payload can inject attacker-controlled fields into workflow data during internal object copying. These fields can be consumed by downstream built-in nodes, potentially allowing an attacker to target unintended records or issue outbound requests using the workflow owner's credentials. The vulnerability has a CVSS score of 6.3 and is classified as medium severity.

Defensive priority

Patching to versions 2.25.7 or 2.26.2 is recommended to address this vulnerability. In the interim, defenders should monitor workflow activity for suspicious behavior and restrict access to public webhooks where possible.

Recommended defensive actions

• Update n8n to version 2.25.7 or 2.26.2
• Monitor workflow activity for suspicious behavior
• Restrict access to public webhooks
• Review workflows for combinations of public webhooks with action nodes
• Implement additional logging and monitoring for affected systems

Evidence notes

The vulnerability was reported and fixed by the n8n team. Details were published in a GitHub security advisory (GHSA-2vff-hj5x-8gq7). The CVE record and NVD details provide additional context on the vulnerability.

Official resources