Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionGitHub Advisory
Impact
An authenticated user with permission to create or modify workflows could achieve global prototype pollution via the XML Node leading to RCE when combined with other nodes exploiting the prototype pollution.
Patches
The issue has been fixed in n8n versions 1.123.32, 2.17.4, and 2.18.1. Users should upgrade to one of these versions or later to remediate the vulnerability.
Workarounds
If upgrading is not immediately possible, administrators should consider the following temporary mitigations:
- Limit workflow creation and editing permissions to fully trusted users only.
- Disable the XML node by adding
n8n-nodes-base.xmlto theNODES_EXCLUDEenvironment variable.
These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
AnalysisAI
Prototype pollution in n8n's XML node allows authenticated workflow editors to achieve remote code execution through global prototype manipulation. The vulnerability affects n8n workflow automation platform versions prior to 1.123.32, 2.17.4, and 2.18.1, enabling attackers with workflow creation privileges to inject malicious properties into JavaScript object prototypes that can be exploited by other nodes to execute arbitrary code. Vendor-released patches are available for all affected version branches. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the CVSS 10.0 score reflects the critical scope change and complete system compromise potential.
Technical ContextAI
This vulnerability stems from CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes), commonly known as prototype pollution, in n8n's XML node component. N8n is a workflow automation platform built on Node.js that uses a visual programming interface with interconnected nodes. The XML node, used for parsing and manipulating XML data, fails to properly sanitize input, allowing injection of properties into JavaScript's Object.prototype. In JavaScript's prototype-based inheritance model, polluting the global prototype affects all object instances application-wide. When combined with other n8n nodes that access polluted properties without validation, this creates a gadget chain enabling remote code execution within the Node.js runtime environment. The npm package 'n8n' distributed via the Node Package Manager is the affected component.
RemediationAI
Upgrade to patched versions: 1.123.32 for 1.x branch users, 2.17.4 for 2.17.x users, or 2.18.1 for 2.18.x users as specified in GitHub advisory GHSA-hqr4-h3xv-9m3r. If immediate patching is not feasible, implement temporary mitigations: restrict workflow creation and editing permissions to fully vetted trusted users only through n8n's access control settings, and disable the vulnerable XML node by setting the environment variable NODES_EXCLUDE=n8n-nodes-base.xml before starting n8n. Note that disabling the XML node will break existing workflows that depend on XML parsing functionality and may impact business processes. The vendor explicitly states workarounds do not fully remediate risk and should only serve as short-term measures until patching is completed. Verify successful mitigation by confirming the XML node is unavailable in the workflow editor and testing that existing XML-dependent workflows fail gracefully.
More in Prototype Pollution
View allPrototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execu
Prototype pollution in the farinspace Partners WordPress plugin (versions up to and including 0.2.0) enables remote unau
Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service
A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code vi
A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function
All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper s
This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitr
Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Ser
alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/inde
A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConf
A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 all
Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function. Rated critical severity (CVSS 9.8), this
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27104
GHSA-hqr4-h3xv-9m3r