Which versions of n8n are affected by CVE-2026-42232?

CVE-2026-42232 is a critical prototype pollution vulnerability in n8n's XML node that allows authenticated workflow editors to execute arbitrary code across the automation platform, potentially…. A patch is available.

n8n CVE-2026-42232

Q: What is the CVSS score of CVE-2026-42232?

CVE-2026-42232 has a CVSS 4.0 base score of 9.4 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2026-27104 CRITICAL

Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) (CWE-1321)

2026-04-29 https://github.com/n8n-io/n8n

GHSA-hqr4-h3xv-9m3r

Information Disclosure Prototype Pollution

9.4

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Patch available

May 04, 2026 - 20:01 EUVD

Re-analysis Queued

May 04, 2026 - 19:22 vuln.today

cvss_changed

CVSS changed

May 04, 2026 - 19:22 NVD

10.0 (CRITICAL) 9.4 (CRITICAL)

Source Code Evidence Fetched

Apr 29, 2026 - 22:02 vuln.today

Analysis Generated

Apr 29, 2026 - 22:02 vuln.today

Analysis Generated

Apr 29, 2026 - 21:30 vuln.today

CVE Published

Apr 29, 2026 - 21:25 nvd

CRITICAL 10.0

DescriptionNVD

Impact

An authenticated user with permission to create or modify workflows could achieve global prototype pollution via the XML Node leading to RCE when combined with other nodes exploiting the prototype pollution.

Patches

The issue has been fixed in n8n versions 1.123.32, 2.17.4, and 2.18.1. Users should upgrade to one of these versions or later to remediate the vulnerability.

Workarounds

If upgrading is not immediately possible, administrators should consider the following temporary mitigations:

Limit workflow creation and editing permissions to fully trusted users only.
Disable the XML node by adding n8n-nodes-base.xml to the NODES_EXCLUDE environment variable.

These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

AnalysisAI

Prototype pollution in n8n's XML node allows authenticated workflow editors to achieve remote code execution through global prototype manipulation. The vulnerability affects n8n workflow automation platform versions prior to 1.123.32, 2.17.4, and 2.18.1, enabling attackers with workflow creation privileges to inject malicious properties into JavaScript object prototypes that can be exploited by other nodes to execute arbitrary code. …

RemediationAI

Within 24 hours: Identify all n8n instances and current versions in use; restrict workflow creation privileges to trusted administrators only and audit existing workflow permissions. Within 7 days: Apply vendor patches-upgrade to n8n 1.123.32, 2.17.4, or 2.18.1 depending on your current branch; test patches in a staging environment before production deployment. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-42232 vulnerability details – vuln.today

Back

n8n CVE-2026-42232

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

Impact

Patches

Workarounds

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

n8n CVE-2026-42232

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

Impact

Patches

Workarounds

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code