AI Threat Alert
n8n: Prototype pollution enables RCE via workflow nodes
Authenticated n8n users with workflow permissions can pollute Object.prototype via XML or GSuiteAdmin nodes, achieving full RCE on the server host. Patch immediately to 2.14.1, 2.13.3, or 1.123.27 — n8n is a widely-deployed AI agent orchestration hub where server compromise cascades to every connected LLM API, database, and downstream service. If patching is delayed, restrict workflow editing to fully trusted accounts only and exclude the XML node via NODES_EXCLUDE.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| n8n | npm | = 2.14.0 | 2.14.1 |
Do you use n8n? You're affected.
Severity & Risk
Recommended Action
- 1. PATCH: Upgrade to n8n 2.14.1, 2.13.3, or 1.123.27 immediately. 2. RESTRICT: Audit and limit workflow creation/editing permissions to fully trusted users only — treat this permission as equivalent to server admin. 3. NODE EXCLUSION: Add 'n8n-nodes-base.xml' to NODES_EXCLUDE environment variable as a temporary compensating control. 4. AUDIT WORKFLOWS: Review existing workflows for unexpected XML or GSuiteAdmin node configurations that may indicate prior exploitation. 5. MONITOR: Alert on unexpected outbound connections, child process spawns, or anomalous environment variable access from the n8n process. 6. ROTATE CREDENTIALS: If compromise is suspected, immediately rotate all API keys and credentials stored in n8n's credential store and environment.
Classification
Compliance Impact
This CVE is relevant to:
Technical Details
NVD Description
n8n is an open source workflow automation platform. Prior to versions 2.14.1, 2.13.3, and 1.123.27, an authenticated user with permission to create or modify workflows could exploit a prototype pollution vulnerability in the XML and the GSuiteAdmin nodes. By supplying a crafted parameters as part of node configuration, an attacker could write attacker-controlled values onto `Object.prototype`. An attacker could use this prototype pollution to achieve remote code execution on the n8n instance. The issue has been fixed in n8n versions 2.14.1, 2.13.3, and 1.123.27. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, and/or disable the XML node by adding `n8n-nodes-base.xml` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
Exploitation Scenario
An adversary obtains a low-privilege n8n account via credential stuffing, phishing, or insider threat. They create or modify a workflow containing an XML node with crafted parameters that write attacker-controlled values onto Object.prototype. When the workflow executes, the polluted prototype causes Node.js to execute attacker-supplied code with n8n process privileges. In an AI agent context, this grants full control of the orchestrator — the attacker silently modifies agent system prompts, redirects tool calls to attacker-controlled endpoints, and exfiltrates the credentials used to authenticate against every LLM API, vector database, and connected service in the automation pipeline.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References
- github.com/advisories/GHSA-mxrg-77hm-89hv
- github.com/n8n-io/n8n/security/advisories/GHSA-mxrg-77hm-89hv
- nvd.nist.gov/vuln/detail/CVE-2026-33696
- github.com/n8n-io/n8n/security/advisories/GHSA-mxrg-77hm-89hv Vendor Mitigation
- github.com/n8n-io/n8n/security/advisories/GHSA-mxrg-77hm-89hv Vendor Mitigation