CVE-2026-44791

Name of the Vulnerable Software and Affected Versions n8n versions prior to 1.123.43 n8n versions prior to 2.20.7 n8n versions prior to 2.22.1

Description An authenticated user with permissions to create or modify workflows can bypass a previous prototype pollution patch in the XML node. Prototype pollution occurs when an attacker manipulates the prototype of an object, potentially altering the behavior of the application. When combined with other nodes, this bypass could lead to remote code execution (RCE) on the host system.

Recommendations Update to version 1.123.43 or later. Update to version 2.20.7 or later. Update to version 2.22.1 or later. Limit workflow creation and editing permissions to fully trusted users only. Disable the XML node by adding n8n-nodes-base.xml to the NODES EXCLUDE environment variable.