Impact
n8n is an open source workflow automation platform. An authenticated user with permission to create or modify workflows can achieve global prototype pollution through an unvalidated pagination parameter in the HTTP Request node. This flaw exists in versions prior to 1.123.43, 2.22.1, and 2.20.7. When combined with other techniques, it can lead to remote code execution on the instance. The vulnerability is classified under CWE‑1321 and is fixed in the specified releases.
Affected Systems
The affected product is n8n from n8n‑io. Versions prior to 1.123.43, 2.22.1, and 2.20.7 are vulnerable. Users running any of these releases without the patch are at risk.
Risk and Exploitability
The vulnerability carries a CVSS score of 9.4, indicating a critical impact. No EPSS data is available, and the flaw is not listed in the CISA KEV catalog. The attack requires an authenticated account with permission to create or modify workflows and can be achieved locally within the instance; no remote exploitation without credentials is documented.
OpenCVE Enrichment
Github GHSA