Exposure of Data Element to Wrong Session Affecting n8n-nodes-base package, versions <2.25.2>=2.26.0 <2.26.5


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.32% (24th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-N8NNODESBASE-17750817
  • published1 Jul 2026
  • disclosed23 Jun 2026
  • creditsm1ee

Introduced: 23 Jun 2026

NewCVE-2026-54311  (opens in a new tab)
CWE-488  (opens in a new tab)

How to fix?

Upgrade n8n-nodes-base to version 2.25.2, 2.26.5 or higher.

Overview

n8n-nodes-base is a Base nodes of n8n

Affected versions of this package are vulnerable to Exposure of Data Element to Wrong Session via the combineBySql Merge-node SQL Query path in combineBySql.ts. An authenticated attacker can poison the shared SQL sandbox by supplying a workflow that runs attacker-controlled SQL, causing prototype mutations to persist into later Merge SQL executions on the same instance. This allows the attacker to intercept data processed by other users’ workflows, breaking the isolation of workflow execution in multi-user n8n instances.

Notes

  • This only affects multi-user n8n deployments where more than one user can create or execute workflows using Merge node SQL Query mode; single-user instances do not have the same cross-user persistence issue.
  • The vulnerable path is the cached shared SQL sandbox used by repeated Merge SQL executions, so pollution can persist across later runs on the same instance rather than being limited to a single workflow execution.

Workarounds

  • Limit workflow creation and editing permissions to fully trusted users only.
  • Disable the Merge node by adding n8n-nodes-base.merge to the NODES_EXCLUDE environment variable.

CVSS Base Scores

version 4.0
version 3.1