Prototype pollution in n8n - #VU135227

 

Prototype pollution in n8n - #VU135227

Published: June 25, 2026


Vulnerability identifier: #VU135227
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-1321
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: n8n
Affected software:
n8n

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper control of dynamically-managed code resources in workflow credential handling when saving, updating, or importing a crafted workflow via the workflow API. A remote user can pollute Object.prototype to disclose sensitive information.

This may cause unauthenticated requests to be treated as a privileged user and can expose user and project listing endpoints. The issue can also corrupt global state and make parts of the instance unresponsive until restarted.


Remediation

Install security update from vendor's website.

Sources