CVE-2026-54313
n8n: NoSQL Injection in MongoDB Node Find And Replace Operation
In short
A user who can edit workflows in n8n can inject malicious code into MongoDB queries through the Find And Replace operation, allowing them to modify documents they shouldn't have access to.
Technical detail
NoSQL injection vulnerability in n8n's MongoDB node Find And Replace operation where user-supplied filter values are passed unsanitized to MongoDB queries. An authenticated user with workflow edit permissions can manipulate the query filter to match unintended documents and overwrite them with attacker-controlled data, bypassing intended access controls.
Summary generated and translated by AI from the official description.
n8n is an open source workflow automation platform. Prior to 2.24.0, an authenticated user with workflow edit access could supply a malicious filter value in the MongoDB node's Find And Replace operation. The value was not validated before being passed to MongoDB as a query filter, allowing unintended documents to be matched and overwritten with attacker-controlled content. This vulnerability is fixed in 2.24.0.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H
Affected products
n8n-io · n8nWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →