Description
n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with permission to create or modify workflows could achieve global prototype pollution via the XML Node leading to RCE when combined with other nodes exploiting the prototype pollution. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.
Published: 2026-05-04
Score: 9.4 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

n8n, an open source workflow automation platform, contains a prototype pollution flaw in the XML Node that allows an authenticated user with workflow creation or editing rights to manipulate JavaScript prototypes. By altering prototypes, the attacker can chain prototype pollution with other nodes to achieve arbitrary code execution on the host. This weakness is categorized as CWE‑1321 and can compromise the confidentiality, integrity, and availability of the system.

Affected Systems

The vulnerability affects n8n versions older than 1.123.32, 2.17.4, and 2.18.1 across all deployments. Any install of v1.x before 1.123.32 or v2.x before 2.17.4 (or before 2.18.1) is susceptible when XML Node functionality is enabled.

Risk and Exploitability

The CVSS score of 9.4 indicates a critical severity, and the absence of an EPSS rating means the exploitation probability is currently unknown but the flaw is not yet catalogued in CISA’s KEV list. Because the attack requires authentication, only users with workflow editing privileges can initiate the exploit; however, once achieved, the effect is system‑wide remote code execution.

Generated by OpenCVE AI on May 4, 2026 at 20:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade n8n to version 1.123.32, 2.17.4, 2.18.1, or later to apply the vendor patch.
  • Limit workflow creation and modification permissions to trusted and least‑privilege users.
  • If a patch cannot be applied immediately, remove or disable the XML Node from the available nodes to eliminate the prototype‑pollution path.

Generated by OpenCVE AI on May 4, 2026 at 20:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 04 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with permission to create or modify workflows could achieve global prototype pollution via the XML Node leading to RCE when combined with other nodes exploiting the prototype pollution. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.
Title n8n: XML Node Prototype Pollution to RCE
Weaknesses CWE-1321
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-04T19:41:20.552Z

Reserved: 2026-04-25T05:37:12.117Z

Link: CVE-2026-42232

cve-icon Vulnrichment

Updated: 2026-05-04T19:41:16.339Z

cve-icon NVD

Status : Received

Published: 2026-05-04T19:16:05.610

Modified: 2026-05-04T19:16:05.610

Link: CVE-2026-42232

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T20:30:08Z

Weaknesses