Skip to content
CVSS 8.8 · HIGH

CVE-2026-42232

n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with permission to create or modify workflows could achieve global prototype pollution via the XML Node leading to RCE when combined with other nodes exploiting the prototype pollution. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.

Ver en NVD

Análisis

n8n versions prior to 1.123.32, 2.17.4, and 2.18.1 are vulnerable to a prototype pollution attack via the XML Node. Authenticated users with workflow permissions can exploit this to achieve Remote Code Execution (RCE) on the host, making it critical for self-hosted installations to update immediately.

Severidad

Puntaje: 8.8(HIGH)
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: LOW
UI: NONE
S: UNCHANGED
C: HIGH
I: HIGH
A: HIGH
Tipo de falla (CWE): CWE-1321

EPSS

Probabilidad de explotación (próx. 30 días): 0.0005 (0.1%)
Percentil: 16.3%
EPSS: 2026-05-06

Afecta

n8n:n8n

Descripción técnica

n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with permission to create or modify workflows could achieve global prototype pollution via the XML Node leading to RCE when combined with other nodes exploiting the prototype pollution. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.

Publicada: 4/5/2026, 19:16:05
Última modificación: 6/5/2026, 17:15:28

Referencias

InicioEventosBlogRecursosEquipo