AI Threat Alert

CVE-2026-33696: n8n: Prototype pollution enables RCE via workflow nodes

GHSA-mxrg-77hm-89hv HIGH
Published March 25, 2026
CISO Take

Authenticated n8n users with workflow permissions can pollute Object.prototype via XML or GSuiteAdmin nodes, achieving full RCE on the server host. Patch immediately to 2.14.1, 2.13.3, or 1.123.27 — n8n is a widely-deployed AI agent orchestration hub where server compromise cascades to every connected LLM API, database, and downstream service. If patching is delayed, restrict workflow editing to fully trusted accounts only and exclude the XML node via NODES_EXCLUDE.

What is the risk?

High exploitability with devastating blast radius in AI/ML environments. Low-privilege authenticated access is sufficient — a compromised workflow editor account or malicious insider is all an attacker needs. Prototype pollution to RCE is a well-documented attack chain in Node.js ecosystems with readily available tooling. n8n is frequently internet-exposed and acts as the orchestration backbone for AI agent pipelines, meaning a successful exploit yields lateral access to every API key, credential, and connected system in the automation fabric.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
n8n npm = 2.14.0 2.14.1
187.3K OpenSSF 6.1 16 dependents Pushed 5d ago 43% patched ~3d to patch Full package profile →

Do you use n8n? You're affected.

Severity & Risk

CVSS 3.1
8.8 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 39% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Moderate

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

What should I do?

6 steps

  1. PATCH

    Upgrade to n8n 2.14.1, 2.13.3, or 1.123.27 immediately.

  2. RESTRICT

    Audit and limit workflow creation/editing permissions to fully trusted users only — treat this permission as equivalent to server admin.

  3. NODE EXCLUSION

    Add 'n8n-nodes-base.xml' to NODES_EXCLUDE environment variable as a temporary compensating control.

  4. AUDIT WORKFLOWS

    Review existing workflows for unexpected XML or GSuiteAdmin node configurations that may indicate prior exploitation.

  5. MONITOR

    Alert on unexpected outbound connections, child process spawns, or anomalous environment variable access from the n8n process.

  6. ROTATE CREDENTIALS

    If compromise is suspected, immediately rotate all API keys and credentials stored in n8n's credential store and environment.

CISA SSVC Assessment

Decision Track
Exploitation none
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Agent Framework Plugin AML.T0012 AML.T0049 AML.T0050 AML.T0053 AML.T0072 AML.T0081 AML.T0083

Compliance Impact

This CVE is relevant to:

EU AI Act
Art.15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2 - AI system security controls
NIST AI RMF
MANAGE-2.2 - Mechanisms to sustain, update, and improve AI risk management
OWASP LLM Top 10
LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-33696?

Authenticated n8n users with workflow permissions can pollute Object.prototype via XML or GSuiteAdmin nodes, achieving full RCE on the server host. Patch immediately to 2.14.1, 2.13.3, or 1.123.27 — n8n is a widely-deployed AI agent orchestration hub where server compromise cascades to every connected LLM API, database, and downstream service. If patching is delayed, restrict workflow editing to fully trusted accounts only and exclude the XML node via NODES_EXCLUDE.

Is CVE-2026-33696 actively exploited?

No confirmed active exploitation of CVE-2026-33696 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-33696?

1. PATCH: Upgrade to n8n 2.14.1, 2.13.3, or 1.123.27 immediately. 2. RESTRICT: Audit and limit workflow creation/editing permissions to fully trusted users only — treat this permission as equivalent to server admin. 3. NODE EXCLUSION: Add 'n8n-nodes-base.xml' to NODES_EXCLUDE environment variable as a temporary compensating control. 4. AUDIT WORKFLOWS: Review existing workflows for unexpected XML or GSuiteAdmin node configurations that may indicate prior exploitation. 5. MONITOR: Alert on unexpected outbound connections, child process spawns, or anomalous environment variable access from the n8n process. 6. ROTATE CREDENTIALS: If compromise is suspected, immediately rotate all API keys and credentials stored in n8n's credential store and environment.

What systems are affected by CVE-2026-33696?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, workflow automation pipelines, multi-agent orchestration, LLM integration platforms, tool-use AI systems.

What is the CVSS score for CVE-2026-33696?

CVE-2026-33696 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.18%.

Technical Details

NVD Description

n8n is an open source workflow automation platform. Prior to versions 2.14.1, 2.13.3, and 1.123.27, an authenticated user with permission to create or modify workflows could exploit a prototype pollution vulnerability in the XML and the GSuiteAdmin nodes. By supplying a crafted parameters as part of node configuration, an attacker could write attacker-controlled values onto `Object.prototype`. An attacker could use this prototype pollution to achieve remote code execution on the n8n instance. The issue has been fixed in n8n versions 2.14.1, 2.13.3, and 1.123.27. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, and/or disable the XML node by adding `n8n-nodes-base.xml` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Exploitation Scenario

An adversary obtains a low-privilege n8n account via credential stuffing, phishing, or insider threat. They create or modify a workflow containing an XML node with crafted parameters that write attacker-controlled values onto Object.prototype. When the workflow executes, the polluted prototype causes Node.js to execute attacker-supplied code with n8n process privileges. In an AI agent context, this grants full control of the orchestrator — the attacker silently modifies agent system prompts, redirects tool calls to attacker-controlled endpoints, and exfiltrates the credentials used to authenticate against every LLM API, vector database, and connected service in the automation pipeline.

Weaknesses (CWE)

CWE-1321 Primary CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
March 25, 2026
Last Modified
March 27, 2026
First Seen
March 25, 2026

Related Vulnerabilities

CRITICAL CVE-2026-33663 10.0

n8n: member role steals plaintext HTTP credentials

Same package: n8n
CRITICAL CVE-2026-33660 10.0

TensorFlow: type confusion NPD in tensor conversion

Same package: n8n
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same package: n8n
CRITICAL CVE-2026-27577 9.9

n8n: Code Injection enables RCE

Same package: n8n
CRITICAL CVE-2026-27494 9.9

n8n: security flaw enables exploitation

Same package: n8n
Back to Threat Feed