Skip to main content

n8n EUVDEUVD-2026-38459

| CVE-2026-54313 MEDIUM
SQL Injection (CWE-89)
2026-06-16 https://github.com/n8n-io/n8n GHSA-jpq7-226w-6cxx
6.5
CVSS 4.0 · Vendor: https://github.com/n8n-io/n8n
Share

Severity by source

Vendor (https://github.com/n8n-io/n8n) PRIMARY
6.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.7 HIGH

Workflow edit permission maps to PR:L; S:C reflects MongoDB as a separately impacted system; C:N and A:N apply as only document integrity is compromised.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N

Primary rating from Vendor (https://github.com/n8n-io/n8n).

CVSS VectorVendor: https://github.com/n8n-io/n8n

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
Jun 23, 2026 - 17:07 NVD
7.7 (MEDIUM) 6.5 (MEDIUM)
Source Code Evidence Fetched
Jun 16, 2026 - 19:21 vuln.today
Analysis Generated
Jun 16, 2026 - 19:21 vuln.today

DescriptionCVE.org

Impact

An authenticated user with workflow edit access could supply a malicious filter value in the MongoDB node's Find And Replace operation. The value was not validated before being passed to MongoDB as a query filter, allowing unintended documents to be matched and overwritten with attacker-controlled content.

Patches

The issue has been fixed in n8n version 2.24.0. Users should upgrade to this version or later to remediate the vulnerability.

Workarounds

If upgrading is not immediately possible, administrators should consider the following temporary mitigations:

  • Limit workflow creation and editing permissions to fully trusted users only.
  • Disable the MongoDB node by adding n8n-nodes-base.mongoDb to the NODES_EXCLUDE environment variable.

These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

AnalysisAI

NoSQL injection in n8n's MongoDB node (all versions prior to 2.24.0) enables authenticated users with workflow edit access to supply malicious filter values in the Find And Replace operation, causing MongoDB to match and overwrite documents far beyond the attacker's intended scope. The root cause is unsanitized user input being passed directly to MongoDB as a query filter without validation, and the scope change (S:C in CVSS) means the impact propagates from n8n itself into the connected MongoDB database layer. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Authenticate to n8n with low-privilege workflow editor account
Delivery
Open or create workflow in the n8n editor
Exploit
Add MongoDB Find And Replace node with malicious filter operators
Install
Trigger workflow execution via manual run, schedule, or webhook
C2
n8n passes unsanitized filter to MongoDB query engine
Execute
MongoDB matches unintended documents across collection
Impact
Attacker-controlled content overwrites targeted documents

Vulnerability AssessmentAI

Exploitation Exploitation requires three concurrent conditions: (1) a valid n8n account with workflow edit or creation permissions - unauthenticated access is insufficient, and the PR:L CVSS metric confirms this; (2) the target n8n instance must have the MongoDB node active - if 'n8n-nodes-base.mongoDb' is listed in NODES_EXCLUDE, the vulnerable code path is unavailable; (3) the attacker must be able to execute the crafted workflow, either by running it directly or triggering its execution via an automated schedule or webhook. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N) accurately captures the network-reachable, low-complexity nature of this exploit. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated n8n user with workflow edit access creates or modifies a workflow containing a MongoDB Find And Replace node, injecting MongoDB query operators (e.g., a $where expression or an operator-based predicate) into the filter value field. When the workflow executes, n8n passes the unsanitized filter directly to MongoDB, which evaluates it against the full document collection - matching unintended documents and overwriting them with attacker-controlled content, potentially corrupting critical application data across multiple collections. …
Remediation The primary remediation is to upgrade n8n to version 2.24.0 or later, which contains the vendor-confirmed fix per the security advisory at https://github.com/n8n-io/n8n/security/advisories/GHSA-jpq7-226w-6cxx. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38459 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy