{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/n8n--1.123.32/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"id":"CVE-2026-42231"},{"id":"CVE-2026-42232"}],"_cs_exploited":false,"_cs_products":["n8n (\u003c 1.123.32)","n8n (\u003c 2.17.4)","n8n (\u003c 2.18.1)"],"_cs_severities":["critical"],"_cs_tags":["prototype-pollution","rce","n8n"],"_cs_type":"advisory","_cs_vendors":["n8n"],"content_html":"\u003cp\u003eMultiple critical vulnerabilities have been discovered in n8n, a widely used workflow automation tool. These vulnerabilities, identified as CVE-2026-42231 and CVE-2026-42232, involve Prototype Pollution flaws that can be escalated to Remote Code Execution (RCE) on the n8n host. The vulnerabilities affect n8n versions prior to 1.123.32, 2.17.4, and 2.18.1. An authenticated user with workflow editing rights can exploit these vulnerabilities by injecting malicious properties into the global object prototype, ultimately executing unauthorized commands directly on the underlying host server. These flaws can be exploited via the webhook infrastructure or the XML Node component.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated user gains access to the n8n instance with workflow editing rights.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious XML payload or workflow utilizing the XML Node component.\u003c/li\u003e\n\u003cli\u003eThe malicious payload is designed to inject properties into the global object prototype, exploiting the Prototype Pollution vulnerability (CVE-2026-42231 or CVE-2026-42232).\u003c/li\u003e\n\u003cli\u003eThe polluted data is routed through the Git node\u0026rsquo;s SSH functions (in the case of CVE-2026-42231) or other susceptible workflow nodes.\u003c/li\u003e\n\u003cli\u003eThe injected properties modify the behavior of subsequent operations performed by the n8n instance.\u003c/li\u003e\n\u003cli\u003eThe Git node (or other exploited node) executes commands based on the polluted prototype, leading to arbitrary code execution on the n8n server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the n8n server.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised server for further malicious activities, such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities allows an attacker to achieve Remote Code Execution (RCE) on the n8n host. This can lead to complete compromise of the n8n instance, including unauthorized access to sensitive data, modification of workflows, and potentially the compromise of other systems connected to the n8n instance. The high CVSS scores (9.4) for both CVEs reflect the significant impact on Confidentiality, Integrity, and Availability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch n8n instances to versions 1.123.32, 2.17.4, 2.18.1 or later to remediate CVE-2026-42231 and CVE-2026-42232, as recommended by the vendor.\u003c/li\u003e\n\u003cli\u003eImplement monitoring and detection capabilities to identify suspicious activity related to prototype pollution attempts, as advised in the advisory.\u003c/li\u003e\n\u003cli\u003eReview and restrict workflow editing rights to minimize the attack surface and reduce the potential for unauthorized modifications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-05T14:14:35Z","date_published":"2026-05-05T14:14:35Z","id":"/briefs/2026-05-n8n-rce/","summary":"Critical Prototype Pollution vulnerabilities (CVE-2026-42231 and CVE-2026-42232) in n8n versions prior to 1.123.32, 2.17.4, and 2.18.1 can be exploited by authenticated users with workflow editing rights to achieve Remote Code Execution (RCE) on the n8n host.","title":"Critical Prototype Pollution Vulnerabilities in n8n Lead to Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-05-n8n-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — N8n (\u003c 1.123.32)","version":"https://jsonfeed.org/version/1.1"}