Description
n8n is an open source workflow automation platform. Prior to 1.123.61, 2.27.4, and, 2.28.1, an authenticated user with the default workflow:create permission could pollute Object.prototype through a crafted workflow saved, updated, or imported via the workflow API, allowing unauthenticated requests to be treated as a privileged user and exposing user and project listing endpoints. This issue is fixed in versions 1.123.61, 2.27.4, and 2.28.1.
No analysis available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
No advisories yet.
References
History
Thu, 09 Jul 2026 15:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | n8n is an open source workflow automation platform. Prior to 1.123.61, 2.27.4, and, 2.28.1, an authenticated user with the default workflow:create permission could pollute Object.prototype through a crafted workflow saved, updated, or imported via the workflow API, allowing unauthenticated requests to be treated as a privileged user and exposing user and project listing endpoints. This issue is fixed in versions 1.123.61, 2.27.4, and 2.28.1. | |
| Title | n8n: Prototype Pollution via Workflow Credentials Leads to Unauthenticated User and Project Enumeration | |
| Weaknesses | CWE-1321 | |
| References |
| |
| Metrics |
cvssV4_0
|
Subscriptions
No data.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-09T15:30:28.166Z
Reserved: 2026-07-02T21:05:02.924Z
Link: CVE-2026-59206
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses
-
CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')