CVE-2026-42232: n8n XML Node prototype pollution →

Q: Is CVE-2026-42232 actively exploited?

No confirmed active exploitation of CVE-2026-42232 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-42232?

1. Patch n8n to 1.123.32, 2.17.4, or 2.18.1 immediately across all deployments. 2. If patching is delayed, restrict workflow creation and modification permissions to the minimum set of trusted users and audit existing permission grants. 3. Inspect existing workflows for XML nodes processing external or user-controlled input; look for __proto__ or constructor.prototype patterns in XML payloads. 4. Run the n8n process in a least-privilege container with no direct filesystem access to credential stores or secrets managers. 5. Monitor for unexpected outbound connections or process spawning from the n8n container post-workflow execution as indicators of exploitation.

Q: What systems are affected by CVE-2026-42232?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, Workflow automation pipelines, Multi-service AI orchestration, RAG ingestion pipelines, LLM API integration layers.

Q: What is the CVSS score for CVE-2026-42232?

No CVSS score has been assigned yet.

CISO Take

n8n's XML Node handler allows any authenticated user with workflow creation rights to trigger global prototype pollution that, when chained with other workflow nodes, achieves remote code execution on the n8n server. This matters because n8n is increasingly the orchestration backbone for AI agent pipelines—a successful exploit yields full server access including every connected API key, LLM provider credential, and downstream data source. The package carries 75 known CVEs, an OpenSSF score of 6/10, and sits at the 68th EPSS percentile, signaling a historically vulnerable codebase with sustained attacker interest. Patch immediately to 1.123.32, 2.17.4, or 2.18.1, and audit workflow creation permissions to restrict them to the minimum necessary set of trusted users.

Sources: NVD GitHub Advisory EPSS OpenSSF ATLAS

What is the risk?

HIGH despite the authentication requirement. In most enterprise n8n deployments workflow creation rights are granted broadly across automation and developer teams, making the effective attack surface much larger than 'authenticated only' implies. Prototype pollution achieving RCE in a Node.js workflow engine that holds credentials to every integrated service elevates the blast radius significantly. No public exploit and no KEV listing moderate the immediate urgency, but the 75-CVE history and top-68th-percentile EPSS ranking indicate this codebase is a high-value target that attackers actively probe.

How does the attack unfold?

Initial Access

Attacker authenticates to n8n using valid credentials—either a legitimate insider or an account compromised via credential stuffing—that carry workflow creation or modification permissions.

AML.T0012

Exploitation

Attacker creates a workflow with the XML Node configured to process a crafted XML payload containing prototype pollution keys (e.g., __proto__ modifications), injecting malicious properties into the Node.js global prototype chain.

AML.T0049

Code Execution

The polluted prototype is triggered by chaining with a Function or Code node whose execution path relies on the corrupted prototype, achieving arbitrary JavaScript execution within the n8n server process.

AML.T0050

Credential Theft & Lateral Movement

Attacker exfiltrates all n8n environment variables—API keys for LLM providers, database credentials, SaaS tokens—and pivots to every service the workflow automation platform integrates with.

AML.T0055

Initial Access

Attacker authenticates to n8n using valid credentials—either a legitimate insider or an account compromised via credential stuffing—that carry workflow creation or modification permissions.

AML.T0012

Exploitation

Attacker creates a workflow with the XML Node configured to process a crafted XML payload containing prototype pollution keys (e.g., __proto__ modifications), injecting malicious properties into the Node.js global prototype chain.

AML.T0049

Code Execution

The polluted prototype is triggered by chaining with a Function or Code node whose execution path relies on the corrupted prototype, achieving arbitrary JavaScript execution within the n8n server process.

AML.T0050

Credential Theft & Lateral Movement

Attacker exfiltrates all n8n environment variables—API keys for LLM providers, database credentials, SaaS tokens—and pivots to every service the workflow automation platform integrates with.

AML.T0055

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	>= 2.18.0, < 2.18.1	`2.18.1`
193.4K OpenSSF 6.6 Pushed 4d ago 54% patched ~7d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

0.5%

chance of exploitation in 30 days

Higher than 38% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

5 steps

Patch n8n to 1.123.32, 2.17.4, or 2.18.1 immediately across all deployments.
If patching is delayed, restrict workflow creation and modification permissions to the minimum set of trusted users and audit existing permission grants.
Inspect existing workflows for XML nodes processing external or user-controlled input; look for __proto__ or constructor.prototype patterns in XML payloads.
Run the n8n process in a least-privilege container with no direct filesystem access to credential stores or secrets managers.
Monitor for unexpected outbound connections or process spawning from the n8n container post-workflow execution as indicators of exploitation.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Data Extraction Agent Plugin Framework AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0055 - Unsecured Credentials

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.4 - AI system operation

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place to sustain the value of deployed AI systems

OWASP LLM Top 10

LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-42232?

n8n's XML Node handler allows any authenticated user with workflow creation rights to trigger global prototype pollution that, when chained with other workflow nodes, achieves remote code execution on the n8n server. This matters because n8n is increasingly the orchestration backbone for AI agent pipelines—a successful exploit yields full server access including every connected API key, LLM provider credential, and downstream data source. The package carries 75 known CVEs, an OpenSSF score of 6/10, and sits at the 68th EPSS percentile, signaling a historically vulnerable codebase with sustained attacker interest. Patch immediately to 1.123.32, 2.17.4, or 2.18.1, and audit workflow creation permissions to restrict them to the minimum necessary set of trusted users.

Is CVE-2026-42232 actively exploited?

No confirmed active exploitation of CVE-2026-42232 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-42232?

1. Patch n8n to 1.123.32, 2.17.4, or 2.18.1 immediately across all deployments. 2. If patching is delayed, restrict workflow creation and modification permissions to the minimum set of trusted users and audit existing permission grants. 3. Inspect existing workflows for XML nodes processing external or user-controlled input; look for __proto__ or constructor.prototype patterns in XML payloads. 4. Run the n8n process in a least-privilege container with no direct filesystem access to credential stores or secrets managers. 5. Monitor for unexpected outbound connections or process spawning from the n8n container post-workflow execution as indicators of exploitation.

What systems are affected by CVE-2026-42232?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, Workflow automation pipelines, Multi-service AI orchestration, RAG ingestion pipelines, LLM API integration layers.

What is the CVSS score for CVE-2026-42232?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

AI agent frameworksWorkflow automation pipelinesMulti-service AI orchestrationRAG ingestion pipelinesLLM API integration layers

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

AML.T0053 AI Agent Tool Invocation

AML.T0055 Unsecured Credentials

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: 8.4

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with permission to create or modify workflows could achieve global prototype pollution via the XML Node leading to RCE when combined with other nodes exploiting the prototype pollution. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.

Exploitation Scenario

An attacker with a legitimate n8n account—or using credentials obtained via phishing or credential stuffing—creates a new workflow incorporating the XML Node with a crafted payload that sets prototype properties on the global JavaScript object (e.g., __proto__.polluted referencing a malicious function). They chain this node with a subsequent Function or Code node that executes a code path relying on the now-polluted prototype, triggering arbitrary JavaScript execution within the n8n Node.js process. The attacker then exfiltrates all environment variables—API keys for OpenAI, Anthropic, Slack, database connection strings—and establishes a reverse shell for persistent access to the AI orchestration infrastructure, effectively owning every service the n8n instance touches.

Weaknesses (CWE)

CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') Primary CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') Primary

CWE-1321 — Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'): The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

[Implementation] By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.
[Architecture and Design] By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.

Source: MITRE CWE corpus.