CVE-2026-33696
Prototype Pollution in n8n XML and GSuiteAdmin Nodes Enables RCE
Publication date: 2026-03-25
Last updated on: 2026-03-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| n8n | n8n | to 1.123.27 (exc) |
| n8n | n8n | From 2.0.0 (inc) to 2.13.3 (exc) |
| n8n | n8n | 2.14.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1321 | The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33696 is a critical prototype pollution vulnerability in the n8n workflow automation platform, specifically affecting the XML and GSuiteAdmin nodes in versions prior to 2.14.1, 2.13.3, and 1.123.27.
An authenticated user with permission to create or modify workflows can exploit this vulnerability by supplying specially crafted parameters in the node configuration. This allows the attacker to write malicious values onto JavaScript's Object.prototype.
By polluting the prototype, the attacker can achieve remote code execution (RCE) on the n8n instance, potentially taking full control of the affected system.
The vulnerability has been fixed in the specified versions, and users are advised to upgrade. Temporary mitigations include restricting workflow creation and editing permissions to trusted users and disabling the XML node, but these do not fully eliminate the risk.
How can this vulnerability impact me? :
This vulnerability can have severe impacts on your system if exploited.
- An attacker with low privileges and no user interaction can remotely execute arbitrary code on your n8n instance.
- Successful exploitation compromises confidentiality, integrity, and availability of the vulnerable system and any subsequent systems.
- This could lead to unauthorized access, data manipulation, service disruption, or full system takeover.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, users should upgrade n8n to versions 2.14.1, 2.13.3, or 1.123.27, or later, where the issue has been fixed.
If upgrading is not immediately possible, temporary mitigations include:
- Limit workflow creation and editing permissions to fully trusted users only.
- Disable the XML node by adding `n8n-nodes-base.xml` to the `NODES_EXCLUDE` environment variable.
Note that these workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an authenticated user with limited privileges to achieve remote code execution on the n8n instance, which can lead to severe impacts on confidentiality, integrity, and availability of the system.
Such impacts on confidentiality and integrity could potentially lead to non-compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and system integrity.
However, the provided information does not explicitly mention compliance implications or specific effects on regulatory requirements.