CVE-2026-42232

Name of the Vulnerable Software and Affected Versions n8n versions prior to 1.123.32 n8n versions prior to 2.17.4 n8n versions prior to 2.18.1

Description An authenticated user with permissions to create or modify workflows can achieve global prototype pollution via the XML Node. Prototype pollution occurs when an attacker manipulates the prototype of an object, potentially affecting all objects of that type. This can lead to remote code execution (RCE) when combined with other nodes that exploit the polluted prototype.

Recommendations Update to version 1.123.32 or later. Update to version 2.17.4 or later. Update to version 2.18.1 or later. Limit workflow creation and editing permissions to fully trusted users only. Disable the XML node by adding n8n-nodes-base.xml to the NODES EXCLUDE environment variable.