CVE-2026-42231

Name of the Vulnerable Software and Affected Versions n8n versions prior to 1.123.32 n8n versions prior to 2.17.4 n8n versions prior to 2.18.1

Description A flaw in the xml2js library used to parse XML request bodies in the webhook handler allows prototype pollution via a crafted XML payload. Prototype pollution is a technique where an attacker manipulates the prototype of a base object to alter the behavior of the application. An authenticated user with permissions to create or modify workflows can exploit this to pollute the JavaScript object prototype and, by chaining this with the Git node's SSH operations, achieve remote code execution on the host.

Recommendations Update to version 1.123.32 or later. Update to version 2.17.4 or later. Update to version 2.18.1 or later. Limit workflow creation and editing permissions to fully trusted users only.