Prototype pollution in n8n - #VU135227
Published: June 25, 2026
n8n
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper control of dynamically-managed code resources in workflow credential handling when saving, updating, or importing a crafted workflow via the workflow API. A remote user can pollute Object.prototype to disclose sensitive information.
This may cause unauthenticated requests to be treated as a privileged user and can expose user and project listing endpoints. The issue can also corrupt global state and make parts of the instance unresponsive until restarted.