CVE-2026-42231
Prototype Pollution in n8n Leading to RCE
Publication date: 2026-05-04
Last updated on: 2026-05-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| n8n | n8n | to 1.123.32 (exc) |
| n8n | n8n | 2.18.0 |
| n8n | n8n | From 2.17.0 (inc) to 2.17.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1321 | The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the n8n workflow automation platform due to a flaw in the xml2js library used to parse XML request bodies in n8n's webhook handler. Specifically, an authenticated user with permission to create or modify workflows can send a crafted XML payload that causes prototype pollution in JavaScript objects. By exploiting this prototype pollution and chaining it with the Git node's SSH operations, the attacker can achieve remote code execution on the n8n host.
How can this vulnerability impact me? :
The vulnerability can have severe impacts because it allows an authenticated user with workflow modification permissions to execute arbitrary code remotely on the n8n host. This could lead to full system compromise, unauthorized access to sensitive data, disruption of services, and potential further exploitation within the affected environment.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade n8n to one of the patched versions: 1.123.32, 2.17.4, or 2.18.1.
Ensure that only trusted authenticated users have permission to create or modify workflows, as exploitation requires such permissions.