At a Glance
CVE-2026-54309
Identifier
Critical
Severity
Network
Attack Vector
n8n
Affected
A critical vulnerability has been discovered in a component of the n8n workflow automation platform. The flaw, identified as CVE-2026-54309, creates an unauthenticated endpoint that allows complete control over a user's web browser. It affects instances where the `@n8n/mcp-browser` package is configured to use the HTTP transport, a non-default setting. [1]
The New Agentic Attack Surface
The n8n platform is a popular open-source tool for building complex, multi-step automations. Recently, it has been adopted by developers as a framework for creating autonomous AI agents. The affected component, `@n8n/mcp-browser`, is part of this agentic ecosystem. MCP stands for Multi-Cognitive Process, a design pattern for agents that orchestrate tools to achieve goals.
In this context, the browser package acts as a critical tool, or 'actuator', for an AI agent. It allows the agent to interact with the web by navigating pages, reading content, and entering data. This functionality is essential for agents designed to perform tasks like data scraping, online research, or managing web applications. The vulnerability turns this powerful tool into a significant security risk.
Architectures for these agents are often distributed. The core logic of an agent might run on a central server, while its tools run on other machines. For example, a browser tool may need to run on a user's desktop to access their authenticated web sessions. The HTTP transport option exists to facilitate this kind of distributed operation, creating a network bridge between the agent's 'brain' and its browser 'hands'.
Deconstructing the Attack Chain
The attack begins with a single prerequisite. The target must be running the `@n8n/mcp-browser` component with the `--transport http` flag. While the default transport is `stdio`, which is not vulnerable, any user who has enabled HTTP mode exposes an open port on their network. An attacker on the same local network can scan for this port to identify potential targets.
Once the endpoint is located, exploitation is straightforward. The attacker sends a request to initialize a browser control session. The vulnerable component accepts this request without any authentication or authorization checks. The attacker is immediately granted a valid session, giving them a direct line to the user's browser.
With an active session, the attacker can invoke the component's browser-control tools. This includes the ability to navigate the browser to arbitrary websites, such as a phishing page or a site that exploits other browser vulnerabilities. More dangerously, the attacker can execute arbitrary JavaScript code within the context of the current page. This is effectively a remote code execution vulnerability within the browser's sandbox.
JavaScript execution allows an attacker to steal sensitive information directly from the web page, inject keyloggers, or manipulate the page's content. The vulnerability also grants access to the browser's cookies and local storage. An attacker can exfiltrate these tokens to hijack the user's authenticated sessions on other websites, gaining access to email, corporate applications, or financial accounts.
OPERATOR ACTION
Upgrade n8n to version 2.25.7, 2.26.2, or later to patch this vulnerability immediately.
A Fundamental Failure of Authentication
The technical root cause of CVE-2026-54309 is simple but severe: a missing authentication layer. The code responsible for handling HTTP transport connections does not verify the identity of the client. It implicitly trusts that any network entity able to connect to the port is authorized to control the browser. This is a critical design flaw for any network-exposed service.
This stands in sharp contrast to the default `stdio` transport mode. In the default configuration, the component communicates with the main n8n process over standard input and output streams. This is a form of local inter-process communication, confined to the same machine and not exposed to the network. The security of the default setting is what has limited the scope of this vulnerability. [1]
Why Traditional Defenses Fall Short
This type of vulnerability can be difficult to detect with conventional security tools. A perimeter firewall may block external attackers from reaching the vulnerable port. However, it provides no protection against an attacker who has already established a foothold on the internal network. Lateral movement is a common phase of advanced attacks, and this flaw provides a perfect pivot point.
Endpoint Detection and Response (EDR) solutions may also be blind to this activity. The malicious commands are sent to a legitimate, signed application (n8n). The application then uses standard APIs to control the browser process. From the operating system's perspective, this appears as normal behavior. The flaw is not in the action being performed, but in the lack of authorization for the entity requesting it.
Playbook for Detection and Remediation
Defenders should proactively hunt for instances of this vulnerable configuration. The most direct method is to search for running processes containing `@n8n/mcp-browser` and check for the `--transport http` command-line argument. System administrators and security teams should audit their n8n deployments for this specific configuration.
Network monitoring can also provide valuable clues. Security teams should analyze network traffic logs for connections to the MCP browser port from unexpected or unauthorized client IP addresses. A baseline of legitimate clients should be established to help identify anomalous connections that could indicate an attempted compromise.
The primary remediation is to upgrade to a patched version of n8n. The vendor has released fixes in versions 2.25.7 and 2.26.2. Users are strongly advised to update to one of these versions or a later release to fully resolve the issue. [2]
If an immediate upgrade is not possible, two workarounds can provide temporary mitigation. The first is to switch from the HTTP transport back to the default `stdio` transport. The second is to implement strict host-based firewall rules that restrict network access to the listening port, allowing connections only from trusted clients. These should be considered short-term fixes, not a substitute for patching.
A Pattern in Agentic Infrastructure Vulnerabilities
This vulnerability in n8n is not an isolated incident. It is representative of a new class of risks emerging from the rapid development of AI and agentic systems. As developers race to build more capable agents, they are creating complex, distributed systems with numerous internal APIs. These APIs, which connect agent components, are becoming a new and attractive attack surface.
The pressure to innovate can sometimes lead to security fundamentals, like authentication on internal endpoints, being overlooked. This is especially true for non-default configurations that enable advanced use cases. The n8n vulnerability serves as a critical case study. It highlights the need for a security-first mindset when building and deploying the infrastructure that will power the next generation of autonomous agents.
References
- GitHub Security Advisory (GHSA-qrx8-25qr-5r7v). https://github.com/advisories/GHSA-qrx8-25qr-5r7v (accessed 2026-06-17).
- Vendor security advisory (github.com). https://github.com/n8n-io/n8n/security/advisories/GHSA-qrx8-25qr-5r7v (accessed 2026-06-17).
About Helixar Research Labs
Helixar is an AI-native software R&D lab focused on agentic governance, compliance, and security for enterprises and enterprise agents.
Helixar Research Labs publishes briefings on the agentic and AI threat surface, including autonomous agents, LLM tooling, MCP servers, model supply chains, and prompt injection. The goal is to surface the gap between traditional defenses and agentic attacks before it shows up in your incidents.
If you run agents in production, this is for you. Learn more at helixar.ai.