Main Vulnerability Database Vulnerabilities #VU127215

Prototype pollution in n8n - #VU127215

Published: April 23, 2026

Vulnerability identifier: #VU127215

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-1321

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: n8n

Affected software:
n8n

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to prototype pollution in the XML Node when creating or modifying workflows containing XML node data. A remote user can create or modify a workflow to trigger global prototype pollution and execute arbitrary code.

Exploitation requires permission to create or modify workflows and code execution occurs when combined with other nodes exploiting the prototype pollution.

Remediation

Install security update from vendor's website.

Sources

https://github.com/n8n-io/n8n/security/advisories/GHSA-hqr4-h3xv-9m3r
https://github.com/advisories/GHSA-hqr4-h3xv-9m3r

Prototype pollution in n8n - #VU127215

Detailed vulnerability description

Remediation

Sources

Please verify you're human