CVE-2026-42231: n8n prototype pollution → RCE

Q: Is CVE-2026-42231 actively exploited?

No confirmed active exploitation of CVE-2026-42231 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-42231?

1. Patch immediately: Upgrade n8n to ≥1.123.32 (v1 LTS) or ≥2.17.4/2.18.1 (v2). 2. Restrict permissions: Audit who holds workflow create/modify rights — apply least-privilege; revoke or limit access to the Git node if SSH operations are not required. 3. Network isolation: Block outbound SSH from the n8n container/process to non-approved hosts via egress firewall rules. 4. Detection: Monitor for anomalous SSH connections spawned by the n8n process, unexpected child processes under the n8n parent, or inbound webhook POST requests with XML content-type containing deeply nested or numeric-key XML structures. 5. Credential rotation: After patching, audit and rotate all API keys and credentials stored in n8n workflow configurations — assume they may have been accessible to an attacker who exploited this prior to patching.

Q: What systems are affected by CVE-2026-42231?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, workflow automation pipelines, AI orchestration platforms, multi-tool AI agent deployments.

Q: What is the CVSS score for CVE-2026-42231?

No CVSS score has been assigned yet.

CISO Take

A vulnerability in n8n's XML webhook parsing allows any authenticated user with workflow edit rights to pollute JavaScript's object prototype via a crafted XML body, then chain that pollution through n8n's built-in Git node to achieve full remote code execution on the n8n host. For organizations running n8n as an AI agent orchestration platform — where it holds API keys to OpenAI, Anthropic, databases, and internal services — a single compromised account can fully own the automation server and everything it touches. While EPSS sits at 0.27% with no public exploit yet, n8n's track record of 75 CVEs and a 6/10 OpenSSF score signal systemic security debt that makes future weaponization plausible. Patch immediately to ≥1.123.32 (v1 LTS) or ≥2.17.4/2.18.1 (v2), and audit which users hold workflow-edit permissions — restrict or disable Git node access where not operationally required.

Sources: NVD GitHub Advisory EPSS ATLAS OpenSSF

What is the risk?

HIGH. The attack requires authenticated access, which limits opportunistic mass exploitation, but the authenticated threat model (malicious insider, phished employee, credential-stuffed exposed instance) is realistic for enterprise n8n deployments. The prototype pollution-to-SSH-RCE chain is technically sophisticated but well-documented in the advisory, lowering the skill floor for motivated actors. n8n's role as an AI agent hub with privileged outbound connectivity amplifies the blast radius well beyond the host itself. 75 prior CVEs in the same package and a moderate OpenSSF score indicate this is not an isolated incident.

How does the attack unfold?

Initial Access

Authenticated attacker with workflow edit permissions sends a crafted XML POST request to an n8n webhook endpoint they control or created.

AML.T0049

Prototype Pollution

xml2js parses the malicious XML body without sanitization, injecting attacker-controlled properties into JavaScript's Object.prototype, affecting all objects in the Node.js process.

AML.T0010.001

Tool Invocation Abuse

Workflow execution triggers the Git node; polluted prototype properties corrupt the SSH client's configuration, enabling injection of arbitrary commands into the SSH invocation.

AML.T0053

Host Compromise

Arbitrary commands execute on the n8n host, granting the attacker full control of the AI orchestration server, its stored credentials, and all connected internal and external services.

AML.T0112

Initial Access

Authenticated attacker with workflow edit permissions sends a crafted XML POST request to an n8n webhook endpoint they control or created.

AML.T0049

Prototype Pollution

xml2js parses the malicious XML body without sanitization, injecting attacker-controlled properties into JavaScript's Object.prototype, affecting all objects in the Node.js process.

AML.T0010.001

Tool Invocation Abuse

Workflow execution triggers the Git node; polluted prototype properties corrupt the SSH client's configuration, enabling injection of arbitrary commands into the SSH invocation.

AML.T0053

Host Compromise

Arbitrary commands execute on the n8n host, granting the attacker full control of the AI orchestration server, its stored credentials, and all connected internal and external services.

AML.T0112

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	< 1.123.32	`1.123.32`
193.4K OpenSSF 6.6 Pushed 4d ago 54% patched ~7d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

0.9%

chance of exploitation in 30 days

Higher than 53% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Advanced

What should I do?

5 steps

Patch immediately: Upgrade n8n to ≥1.123.32 (v1 LTS) or ≥2.17.4/2.18.1 (v2).
Restrict permissions: Audit who holds workflow create/modify rights — apply least-privilege; revoke or limit access to the Git node if SSH operations are not required.
Network isolation: Block outbound SSH from the n8n container/process to non-approved hosts via egress firewall rules.
Detection: Monitor for anomalous SSH connections spawned by the n8n process, unexpected child processes under the n8n parent, or inbound webhook POST requests with XML content-type containing deeply nested or numeric-key XML structures.
Credential rotation: After patching, audit and rotate all API keys and credentials stored in n8n workflow configurations — assume they may have been accessible to an attacker who exploited this prior to patching.

What does CISA's SSVC say?

Decision Track*

Exploitation none

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Agent Plugin AML.T0010.001 - AI Software AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0081 - Modify AI Agent Configuration AML.T0083 - Credentials from AI Agent Configuration AML.T0112 - Machine Compromise

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

6.1.2 - AI risk assessment A.9.1 - Monitoring and incident management for AI systems

NIST AI RMF

GOVERN 1.2 - Accountability for AI risk across the organization MANAGE 2.4 - Mechanisms for incident response and recovery

OWASP LLM Top 10

LLM05:2025 - Supply Chain Vulnerabilities LLM08:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-42231?

A vulnerability in n8n's XML webhook parsing allows any authenticated user with workflow edit rights to pollute JavaScript's object prototype via a crafted XML body, then chain that pollution through n8n's built-in Git node to achieve full remote code execution on the n8n host. For organizations running n8n as an AI agent orchestration platform — where it holds API keys to OpenAI, Anthropic, databases, and internal services — a single compromised account can fully own the automation server and everything it touches. While EPSS sits at 0.27% with no public exploit yet, n8n's track record of 75 CVEs and a 6/10 OpenSSF score signal systemic security debt that makes future weaponization plausible. Patch immediately to ≥1.123.32 (v1 LTS) or ≥2.17.4/2.18.1 (v2), and audit which users hold workflow-edit permissions — restrict or disable Git node access where not operationally required.

Is CVE-2026-42231 actively exploited?

No confirmed active exploitation of CVE-2026-42231 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-42231?

1. Patch immediately: Upgrade n8n to ≥1.123.32 (v1 LTS) or ≥2.17.4/2.18.1 (v2). 2. Restrict permissions: Audit who holds workflow create/modify rights — apply least-privilege; revoke or limit access to the Git node if SSH operations are not required. 3. Network isolation: Block outbound SSH from the n8n container/process to non-approved hosts via egress firewall rules. 4. Detection: Monitor for anomalous SSH connections spawned by the n8n process, unexpected child processes under the n8n parent, or inbound webhook POST requests with XML content-type containing deeply nested or numeric-key XML structures. 5. Credential rotation: After patching, audit and rotate all API keys and credentials stored in n8n workflow configurations — assume they may have been accessible to an attacker who exploited this prior to patching.

What systems are affected by CVE-2026-42231?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, workflow automation pipelines, AI orchestration platforms, multi-tool AI agent deployments.

What is the CVSS score for CVE-2026-42231?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksworkflow automation pipelinesAI orchestration platformsmulti-tool AI agent deployments

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0081 Modify AI Agent Configuration

AML.T0083 Credentials from AI Agent Configuration

AML.T0112 Machine Compromise

Compliance Controls Affected

EU AI Act: Article 15, Article 9

ISO 42001: 6.1.2, A.9.1

NIST AI RMF: GOVERN 1.2, MANAGE 2.4

OWASP LLM Top 10: LLM05:2025, LLM08:2025

What are the technical details?

Original Advisory

n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the xml2js library used to parse XML request bodies in n8n's webhook handler allowed prototype pollution via a crafted XML payload. An authenticated user with permission to create or modify workflows could exploit this to pollute the JavaScript object prototype and, by chaining the pollution with the Git node's SSH operations, achieve remote code execution on the n8n host. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.

Exploitation Scenario

An adversary with authenticated n8n access — via a phished employee, credential stuffing on an internet-exposed instance, or a malicious insider — creates a workflow containing a webhook trigger and a Git node. They send a crafted HTTP POST to the webhook endpoint with an XML body embedding prototype-polluting keys (e.g., keys resolving to `__proto__`) that xml2js parses without sanitization, injecting attacker-controlled values into Object.prototype. When the workflow executes and reaches the Git node, n8n's SSH client internals consume the now-polluted prototype properties, allowing the attacker to inject arbitrary commands into the SSH invocation. This yields RCE on the n8n host under the service account, from which the attacker extracts stored credentials for every connected AI API and internal service, establishes persistence, and pivots laterally.

Weaknesses (CWE)

CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') Primary CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') Primary

CWE-1321 — Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'): The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

[Implementation] By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.
[Architecture and Design] By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.

Source: MITRE CWE corpus.