Attack Chain

1. An attacker authenticates to an n8n instance with workflow creation/modification privileges.
2. The attacker crafts a malicious workflow that leverages the XML Node to inject a payload designed to trigger prototype pollution.
3. The crafted XML node manipulates global object prototypes within the n8n application.
4. The attacker introduces a property into a global object prototype that can be exploited by another node.
5. The attacker adds a secondary node (e.g., Function node) that leverages the polluted prototype property.
6. The secondary node’s execution triggers the polluted prototype, leading to arbitrary code execution.
7. The attacker executes arbitrary commands on the n8n server.
8. The attacker gains complete control of the n8n server, potentially leading to data exfiltration, lateral movement, or other malicious activities.

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the n8n server. This can lead to full system compromise, including data exfiltration, credential theft, and lateral movement within the network. Given the nature of n8n as an automation platform, successful attacks can severely impact connected systems and services. This vulnerability affects n8n users who have not upgraded to patched versions.

Recommendation

• Upgrade n8n to version 1.123.32, 2.17.4, 2.18.1, or later to remediate CVE-2026-42232.
• As a temporary mitigation, limit workflow creation and editing permissions to only fully trusted users as suggested in the advisory.
• As a temporary mitigation, disable the XML node by adding n8n-nodes-base.xml to the NODES_EXCLUDE environment variable as suggested in the advisory.

Attack Chain

1. An unauthenticated attacker registers a malicious MCP OAuth client with a crafted client_name containing XSS payload.
2. A victim user navigates to the n8n instance and is presented with the malicious OAuth consent dialog.
3. The victim user authorizes the malicious OAuth client, unknowingly injecting the attacker’s script into their session.
4. A second user, possibly an administrator, revokes the OAuth access granted to the malicious client.
5. This revocation triggers a toast notification to the original victim user.
6. The toast notification renders the attacker’s injected script from the crafted client_name.
7. The victim user clicks on the link within the toast notification.
8. The injected JavaScript executes within the victim’s authenticated n8n browser session, enabling the attacker to perform malicious actions such as stealing credentials, manipulating workflows, or escalating privileges.

Impact

Successful exploitation of this XSS vulnerability can lead to significant compromise of an n8n instance. Attackers can steal user credentials and session tokens, allowing them to impersonate legitimate users. Malicious actors could also modify or create workflows, leading to data breaches, system disruption, or unauthorized access. Privilege escalation is also possible, potentially granting attackers administrative control over the n8n platform. The number of potential victims depends on the exposure and user base of the vulnerable n8n instances.

Recommendation

• Upgrade n8n to version 2.14.2 or later to patch CVE-2026-42235, as recommended in the advisory.
• Deploy the Sigma rule Detect Suspicious n8n MCP OAuth Client Registration to identify attempts to register OAuth clients with suspicious names.
• If immediate patching is not feasible, restrict access to the n8n instance and the MCP OAuth registration endpoint to trusted users only, as suggested in the advisory’s workaround.

Attack Chain

1. An attacker authenticates to the n8n instance.
2. The attacker crafts a malicious XML payload designed to exploit the prototype pollution vulnerability in the xml2js library.
3. The attacker creates or modifies a workflow containing a webhook node configured to receive XML data.
4. The attacker sends the crafted XML payload to the webhook endpoint.
5. The xml2js library parses the malicious XML, inadvertently polluting the JavaScript object prototype with attacker-controlled properties.
6. The attacker includes a Git node in the workflow.
7. The polluted prototype modifies the behavior of the Git node’s SSH operations.
8. When the workflow executes, the Git node’s SSH operation is hijacked due to the prototype pollution, leading to arbitrary code execution on the n8n host.

Impact

Successful exploitation allows a malicious actor to execute arbitrary code on the n8n server. This grants them complete control over the n8n instance and potentially the underlying infrastructure. The vulnerability impacts any n8n instance accessible to authenticated users who can create or modify workflows. The number of affected installations is unknown, but the potential impact is high due to the sensitive nature of workflows often managed by n8n, which can include access to other systems and data.

Recommendation

• Upgrade n8n to version 1.123.32, 2.17.4, 2.18.1, or later to patch the vulnerability as described in the overview.
• Deploy the Sigma rule “Detect n8n Prototype Pollution via Crafted XML Payload” to detect malicious XML payloads targeting the vulnerability. Enable webserver logs to activate this rule.
• Limit workflow creation and editing permissions to trusted users to mitigate the risk of exploitation, as described in the workaround.

Attack Chain

1. An attacker gains authenticated access to an n8n instance.
2. The attacker verifies the Python Task Runner is enabled.
3. The attacker creates or modifies an n8n workflow.
4. The workflow includes a Python Code Node.
5. The attacker crafts malicious Python code designed to escape the sandbox. This code could leverage vulnerabilities in the sandbox implementation to execute commands outside of the intended restricted environment.
6. The attacker triggers the workflow execution.
7. The malicious Python code executes, successfully escaping the sandbox.
8. Arbitrary code is executed on the task runner container, potentially leading to compromise of the n8n instance or the underlying infrastructure.

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary code within the n8n task runner container. This can lead to a full compromise of the n8n instance, allowing the attacker to steal sensitive data, disrupt services, or pivot to other systems within the network. While the exact number of affected instances is unknown, any n8n deployment with the Python Task Runner enabled and vulnerable versions are at risk.

Recommendation

• Upgrade n8n to versions 1.123.32, 2.17.4, 2.18.1 or later to remediate the vulnerability as recommended by the vendor.
• If upgrading is not immediately possible, limit workflow creation and editing permissions to fully trusted users only, as mentioned in the advisory.
• As a temporary measure, disable the Python Code node by adding n8n-nodes-base.code to the NODES_EXCLUDE environment variable, or disable the Python Task Runner entirely as documented in the advisory.
• Monitor container execution for unexpected processes spawned from the n8n task runner container using the “Detect Suspicious Process Execution from n8n Task Runner” Sigma rule.

Attack Chain

Given the broad range of potential vulnerabilities, a generalized attack chain is outlined below:

1. Reconnaissance: The attacker identifies a vulnerable n8n instance, potentially through Shodan or similar tools.
2. Vulnerability Identification: The attacker probes the n8n instance to identify specific exploitable vulnerabilities, such as those related to SQL injection or XSS.
3. Exploitation (SQL Injection): The attacker crafts malicious SQL queries through user input fields or API calls to extract sensitive data from the n8n database, such as user credentials or API keys.
4. Exploitation (XSS): The attacker injects malicious JavaScript code into n8n workflows or data fields. When other users interact with the affected workflows or data, the JavaScript code executes in their browsers.
5. Privilege Escalation/Lateral Movement: The attacker leverages the compromised credentials or XSS vulnerabilities to gain elevated privileges within the n8n instance or move laterally to other systems within the network.
6. Remote Code Execution: The attacker exploits a vulnerability that allows for the execution of arbitrary code on the server. This could be achieved through insecure file uploads, deserialization flaws, or command injection.
7. Persistence: The attacker establishes persistence by creating new n8n workflows or modifying existing ones to execute malicious code on a recurring basis.
8. Impact: The attacker exfiltrates sensitive data, disrupts critical business processes by manipulating or deleting workflows, or uses the compromised system as a foothold for further attacks within the network.

Impact

Successful exploitation of these vulnerabilities could result in significant damage, depending on the attacker’s objectives. The potential impact includes data breaches, financial losses, service disruptions, and reputational damage. If sensitive data is exfiltrated, it could be used for identity theft, fraud, or other malicious purposes. Disruption of critical workflows can lead to business downtime and lost productivity. The lack of specific victim counts or sector targeting in the source data makes it difficult to quantify the impact precisely, but the broad range of potential vulnerabilities and their potential consequences warrant immediate attention.

Recommendation

• Implement the provided Sigma rules to detect potential exploitation attempts targeting n8n instances (see “Descriptive Detection Rule Name” in the rules section).
• Conduct regular security audits and penetration testing of n8n instances to identify and remediate vulnerabilities before they can be exploited.
• Enforce strict input validation and sanitization measures to prevent SQL injection and XSS attacks.
• Apply the principle of least privilege to limit the permissions of the n8n process and users.
• Monitor network traffic for suspicious activity related to n8n instances, such as unusual API calls or connections to malicious domains.
• Regularly review and update n8n workflows to ensure they are secure and do not contain any malicious code.

Attack Chain

1. An attacker gains authenticated access to an n8n instance.
2. The attacker obtains access to a shared workflow.
3. The attacker identifies a credential ID belonging to another user within the n8n instance.
4. The attacker crafts a request to a vulnerable dynamic-node-parameters endpoint, injecting the foreign credential ID into the request body.
5. The n8n backend, failing to validate the attacker’s authorization to use the specified credential, decrypts the targeted credential.
6. The attacker controls the destination URL in the request, pointing it to attacker-controlled infrastructure.
7. The n8n backend authenticates against the attacker-controlled infrastructure using the decrypted credential, sending the API key to the attacker.
8. The attacker captures the API key and uses it to access resources or data accessible to the compromised credential.

Impact

Successful exploitation of this vulnerability (CVE-2026-42226) allows an attacker to exfiltrate API keys belonging to other n8n users. This can lead to unauthorized access to external services and data, depending on the permissions granted to the compromised credentials. The impact is significant, potentially affecting all n8n instances running vulnerable versions (prior to 2.18.0). The severity is rated as high due to the ease of exploitation and the potential for significant data breaches.

Recommendation

• Upgrade n8n to version 2.18.0 or later to patch the vulnerability (CVE-2026-42226).
• Deploy the Sigma rule Detect n8n Foreign Credential ID in dynamic-node-parameters to identify attempts to exploit this vulnerability.
• Implement stricter access controls and limit workflow sharing to trusted users as a short-term mitigation, as suggested in the overview.

Attack Chain

1. The attacker identifies an n8n instance running a vulnerable version (e.g., < 1.123.32, 2.0.0 < x < 2.17.4, or 2.18.0 < x < 2.18.1).
2. The attacker sends an unauthenticated HTTP POST request to the MCP OAuth client registration endpoint. The exact URI path for this endpoint is not specified in the advisory, but it is related to MCP OAuth client registration.
3. The POST request contains a large payload designed to consume significant server memory during processing.
4. The n8n instance processes the registration request without proper resource limitations or input validation on the payload size.
5. The server allocates memory to handle the large payload, potentially leading to memory exhaustion.
6. The attacker sends multiple such requests in rapid succession, exacerbating the memory exhaustion issue.
7. The n8n instance becomes unresponsive due to memory starvation, resulting in a denial of service.
8. Legitimate users are unable to access or use the n8n platform.

Impact

Successful exploitation of this vulnerability leads to a denial-of-service condition, rendering the n8n instance unavailable to legitimate users. The advisory does not specify the number of victims or sectors targeted. However, any organization using a vulnerable version of n8n is at risk. If the attack succeeds, critical workflow automation processes managed by n8n will be interrupted, potentially leading to business disruptions and data loss.

Recommendation

• Upgrade n8n to version 1.123.32, 2.17.4, or 2.18.1, or later to remediate the vulnerability as mentioned in the Patches section.
• If upgrading is not immediately possible, restrict network access to the n8n instance to prevent requests from untrusted sources, as outlined in the Workarounds section.
• If upgrading is not immediately possible, reduce the maximum accepted payload size by lowering the N8N_PAYLOAD_SIZE_MAX environment variable as described in the Workarounds section.
• Monitor web server logs for unusual POST requests to the MCP OAuth client registration endpoint (path not specified in advisory) that may indicate exploitation attempts. Create detection rules for this activity on webserver logs.