n8n Merge Node SQL Sandbox Prototype Pollution Vulnerability
A prototype pollution vulnerability in the Merge node's SQL Query mode sandbox allows authenticated users with workflow creation/modification permissions to pollute the sandbox context, which is cached and reused across all workflow executions.
What changed
A prototype pollution vulnerability in the Merge node's SQL Query mode sandbox allows authenticated users with workflow creation/modification permissions to pollute the sandbox context, which is cached and reused across all workflow executions. This can lead to interception of workflow data processed by other users on multi-user n8n instances.
Who it affects
Multi-user n8n instances where more than one user has permission to create and execute workflows containing the Merge node in SQL Query mode.
What to do today
Upgrade n8n to version 2.25.7 or 2.26.2 (or later). If immediate upgrade is not possible, limit workflow creation/editing permissions to trusted users and disable the Merge node via NODES_EXCLUDE environment variable.