Main Vulnerability Database Vulnerabilities #VU127216

Prototype pollution in n8n - #VU127216

Published: April 23, 2026

Vulnerability identifier: #VU127216

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-1321

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: n8n

Affected software:
n8n

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to prototype pollution in the xml2js library used by the webhook body parser when parsing a crafted XML request body. A remote attacker can send a crafted XML payload and chain the resulting prototype pollution with the Git node's SSH operations to execute arbitrary code.

Exploitation requires the ability to create or modify workflows.

Remediation

Install security update from vendor's website.

Sources

https://github.com/n8n-io/n8n/security/advisories/GHSA-q5f4-99jv-pgg5
https://github.com/advisories/GHSA-q5f4-99jv-pgg5

Prototype pollution in n8n - #VU127216

Detailed vulnerability description

Remediation

Sources

Please verify you're human