Description
n8n is an open source workflow automation platform. Prior to versions 2.14.1, 2.13.3, and 1.123.27, an authenticated user with permission to create or modify workflows could exploit a prototype pollution vulnerability in the XML and the GSuiteAdmin nodes. By supplying a crafted parameters as part of node configuration, an attacker could write attacker-controlled values onto `Object.prototype`. An attacker could use this prototype pollution to achieve remote code execution on the n8n instance. The issue has been fixed in n8n versions 2.14.1, 2.13.3, and 1.123.27. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, and/or disable the XML node by adding `n8n-nodes-base.xml` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
Published: 2026-03-25
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An open source workflow automation platform contains a prototype pollution flaw in its XML and GSuiteAdmin nodes. An attacker who can create or edit workflows can supply crafted parameters that overwrite Object.prototype. This manipulation can lead to arbitrary code execution on the n8n instance, allowing the attacker to compromise confidentiality, integrity, and availability of the server and its data.

Affected Systems

The vulnerability affects the n8n platform produced by n8n-io. All releases before 2.14.1, 2.13.3, and 1.123.27 are impacted; the issue is remedied in those version releases and the versions that follow.

Risk and Exploitability

The CVSS score of 9.4 signals critical severity, while the EPSS score of less than 1% and absence from CISA’s KEV catalog suggest that public exploitation is currently lower risk. Nonetheless, exploitation requires an authenticated user with permission to modify workflows, meaning compromised accounts or privileged users could leverage the flaw. Controllers with any such access must treat this as a high‑risk vulnerability and act promptly.

Generated by OpenCVE AI on March 27, 2026 at 20:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade n8n to version 2.14.1, 2.13.3, or 1.123.27 or a later release.
  • Restrict workflow creation and editing permissions to fully trusted users only.
  • Disable the XML node by adding n8n‑nodes‑base.xml to the NODES_EXCLUDE environment variable.

Generated by OpenCVE AI on March 27, 2026 at 20:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mxrg-77hm-89hv n8n: Prototype Pollution in XML and GSuiteAdmin node parameters lead to RCE
History

Fri, 27 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*
cpe:2.3:a:n8n:n8n:2.14.0:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared N8n
N8n n8n
Vendors & Products N8n
N8n n8n

Wed, 25 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description n8n is an open source workflow automation platform. Prior to versions 2.14.1, 2.13.3, and 1.123.27, an authenticated user with permission to create or modify workflows could exploit a prototype pollution vulnerability in the XML and the GSuiteAdmin nodes. By supplying a crafted parameters as part of node configuration, an attacker could write attacker-controlled values onto `Object.prototype`. An attacker could use this prototype pollution to achieve remote code execution on the n8n instance. The issue has been fixed in n8n versions 2.14.1, 2.13.3, and 1.123.27. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, and/or disable the XML node by adding `n8n-nodes-base.xml` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
Title n8n Vulnerable to Prototype Pollution in XML & GSuiteAdmin node parameters lead to RCE
Weaknesses CWE-1321
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

N8n N8n
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T20:08:17.600Z

Reserved: 2026-03-23T17:06:05.745Z

Link: CVE-2026-33696

cve-icon Vulnrichment

Updated: 2026-03-25T20:08:14.197Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T18:16:32.550

Modified: 2026-03-27T19:40:55.160

Link: CVE-2026-33696

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-29T20:28:17Z

Weaknesses