Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Public webhook requires no auth (AV:N, PR:N) but specific workflow topology required (AC:H); S:C captures confused-deputy projection onto external credential-authenticated targets.
Primary rating from Vendor (https://github.com/n8n-io/n8n).
CVSS VectorVendor: https://github.com/n8n-io/n8n
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Impact
A prototype pollution vulnerability allowed a crafted public webhook payload to inject attacker-controlled fields into workflow data during internal object copying. These fields could be surfaced and consumed as normal values by downstream built-in nodes.
Where a workflow combines a public webhook with action nodes that consume the resulting fields, an attacker could cause the workflow to act as a confused deputy - targeting unintended records or issuing outbound requests using the workflow owner's configured credentials.
Patches
The issue has been fixed in n8n versions 2.25.7, and 2.26.2. Users should upgrade to one of these versions or later to remediate the vulnerability.
Workarounds
If upgrading is not immediately possible, administrators should consider the following temporary mitigations:
- Avoid exposing public (unauthenticated) webhook workflows that pass incoming data through transform nodes into action nodes with sensitive credentials or database operations.
- Limit workflow creation and editing permissions to fully trusted users only.
These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
AnalysisAI
Prototype pollution in n8n's internal webhook object-copying routine enables unauthenticated network attackers to inject attacker-controlled fields into workflow execution data, turning affected workflows into confused deputies that abuse the workflow owner's stored credentials. Affected npm package versions span all n8n releases below 2.25.7 and the 2.26.0-2.26.1 range; vendor-confirmed patches are available. Exploitation is constrained by a specific workflow topology requirement, but where that topology exists the impact extends beyond n8n itself to external systems reachable via the owner's configured credentials - a scope change that the CVSS S:C metric appropriately captures. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Technical ContextAI
n8n is a Node.js workflow automation platform distributed as pkg:npm/n8n. The vulnerable code path lies in the internal object-copying routine that ingests and propagates incoming webhook payload data between workflow nodes. CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes - 'Prototype Pollution') describes the root cause: when a JSON body containing keys such as __proto__ or constructor.prototype is merged or cloned without sanitization, attacker-supplied properties contaminate the shared JavaScript Object prototype, causing them to appear as enumerable properties on all downstream objects within the same runtime context. In n8n's execution model, this means injected keys surface as legitimate workflow field values when built-in action nodes (database connectors, HTTP request nodes, cloud-service integrations) read from the workflow's data object. The pollution occurs at the boundary where the public webhook receives external input and copies it into the internal workflow data graph, before any node-level data validation runs.
RemediationAI
Upgrade n8n to version 2.25.7 or 2.26.2 (or any later release) as detailed in the vendor's GitHub Security Advisory GHSA-2vff-hj5x-8gq7 (https://github.com/n8n-io/n8n/security/advisories/GHSA-2vff-hj5x-8gq7); these are the vendor-confirmed patch versions. If an immediate upgrade is not operationally feasible, the vendor explicitly endorses two interim mitigations, both with acknowledged limitations. First, disable or restructure any public (unauthenticated) webhook workflows that route incoming payload data through transform nodes into action nodes configured with sensitive stored credentials or database write permissions - this directly eliminates the confused-deputy attack surface but reduces automation capability for those specific workflows. Second, restrict workflow creation and editing permissions to fully trusted users only, preventing introduction of new vulnerable workflow topologies; note this does not protect already-published public webhook workflows and does not substitute for patching. The vendor explicitly states these workarounds are incomplete and intended only as short-term measures pending upgrade.
More in Prototype Pollution
View allPrototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execu
Prototype pollution in the farinspace Partners WordPress plugin (versions up to and including 0.2.0) enables remote unau
Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service
A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code vi
A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function
All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper s
This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitr
Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Ser
alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/inde
A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConf
A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 all
Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function. Rated critical severity (CVSS 9.8), this
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38474
GHSA-2vff-hj5x-8gq7