CVE-2026-42232 — CRITICAL (CVSS 10.0) AI Security Vulnerability

Q: What is CVE-2026-42232?

n8n has XML Node Prototype Pollution that to RCE

Q: Is CVE-2026-42232 actively exploited?

No confirmed active exploitation of CVE-2026-42232 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-42232?

Update to patched version: n8n 2.18.1.

Q: What is the CVSS score for CVE-2026-42232?

CVE-2026-42232 has a CVSS v3.1 base score of 10.0 (CRITICAL).

## Impact An authenticated user with permission to create or modify workflows could achieve global prototype pollution via the XML Node leading to RCE when combined with other nodes exploiting the prototype pollution. ## Patches The issue has been fixed in n8n versions 1.123.32, 2.17.4, and...

Full CISO analysis pending enrichment.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	>= 2.18.0, < 2.18.1	`2.18.1`
185.6K OpenSSF 6.0 16 dependents Pushed 4d ago 38% patched ~1d to patch Full package profile →

Do you use n8n? You're affected.

Severity & Risk

CVSS 3.1

10.0 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

N/A

Attack Surface

AV Network

AC Low

PR Low

UI None

S Changed

C High

I High

A High

Recommended Action

Patch available

Update n8n to version 2.18.1

Compliance Impact

Compliance analysis pending. Sign in for full compliance mapping when available.

Frequently Asked Questions

What is CVE-2026-42232?

n8n has XML Node Prototype Pollution that to RCE

Is CVE-2026-42232 actively exploited?

No confirmed active exploitation of CVE-2026-42232 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-42232?

Update to patched version: n8n 2.18.1.

What is the CVSS score for CVE-2026-42232?

CVE-2026-42232 has a CVSS v3.1 base score of 10.0 (CRITICAL).

Technical Details

NVD Description

## Impact An authenticated user with permission to create or modify workflows could achieve global prototype pollution via the XML Node leading to RCE when combined with other nodes exploiting the prototype pollution. ## Patches The issue has been fixed in n8n versions 1.123.32, 2.17.4, and 2.18.1. Users should upgrade to one of these versions or later to remediate the vulnerability. ## Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Limit workflow creation and editing permissions to fully trusted users only. - Disable the XML node by adding `n8n-nodes-base.xml` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.