ctipilot.ch

n8n CVE-2026-42231 et al. — five chained CVSS 9.4 prototype-pollution + injection + Git-SSH RCE chain (CCB Belgium emergency advisory)

cve · CVE-2026-42231

Coverage timeline
2
first 2026-05-19 → last 2026-05-19
Briefs
1
1 distinct
Sources cited
2
2 hosts
Sections touched
2
deep_dive, trending_vulns
Co-occurring entities
4
see Related entities below

Story timeline

  1. 2026-05-19CTI Daily Brief — 2026-05-19
    trending_vulnsFirst coverage. Five CVEs: -42231 (xml2js webhook prototype pollution, root), -42232 / -44789 / -44791 (HTTP Request / XML Node injection amplifiers), -44790 (Git node SSH terminal sink). Patched in 1.123.32 / 2.17.4 / 2.18.1; CCB Belgium emergency advisory; no public ITW.
  2. 2026-05-19CTI Daily Brief — 2026-05-19
    deep_diveDeep dive in § 5. Chain mechanics: xml2js prototype pollution → Git-node SSH RCE; CCB Belgium emergency advisory; T1190 / T1059.007 / T1068 / T1611; detection concepts (XML body __proto__ pattern, n8n→ssh/git child spawns).

Where this entity is cited

  • trending_vulns1
  • deep_dive1

Source distribution

  • github.com1 (50%)
  • thehackernews.com1 (50%)

Related entities

External references

NVD · cve.org · CISA KEV

All cited sources (2)

Items in briefs about n8n CVE-2026-42231 et al. — five chained CVSS 9.4 prototype-pollution + injection + Git-SSH RCE chain (CCB Belgium emergency advisory) (1)

CVE-2026-42231 / -42232 / -44789 / -44790 / -44791 — n8n self-hosted automation: chained prototype-pollution and injection flaws enabling authenticated-to-RCE plus a Git-node arbitrary file read

From CTI Daily Brief — 2026-05-19 · published 2026-05-19 · view item permalink →

n8n published five Critical security advisories on 2026-05-18, two on 2026-05-18 (-42231, -42232) and a follow-on cluster of three (-44789, -44790, -44791) released against later branches (n8n GHSA-q5f4-99jv-pgg5, 2026-05-18; The Hacker News, 2026-05-18). CVE-2026-42231 (CVSS 4.0: 9.4, CWE-1321) is the root cause: a prototype-pollution primitive reachable via crafted XML supplied to the xml2js library used by the n8n webhook handler. Once the global JavaScript object prototype is polluted, the chain pivots into the n8n Git node's SSH operations to achieve RCE on the n8n host by an authenticated user with workflow create / modify permission. CVE-2026-42232 (GHSA-hqr4-h3xv-9m3r, "XML Node Prototype Pollution to RCE") is a companion XML-Node prototype-pollution flaw exercising the same primitive in a second sink. The follow-on advisories: CVE-2026-44789 (GHSA-c8xv-5998-g76h, "HTTP Request Node Pagination Prototype Pollution to RCE"); CVE-2026-44790 (GHSA-57g9-58c2-xjg3, "Arbitrary File Read via Git Node" — a file-read primitive, not the SSH RCE chain); CVE-2026-44791 (GHSA-wrwr-h859-xh2r, "XML Node Prototype Pollution Patch Bypass"). Patched versions split between two branch trains: -42231 and -42232 in n8n 1.123.32 / 2.17.4 / 2.18.1; -44789, -44790 and -44791 in 1.123.43 / 2.20.7 / 2.22.1. No in-the-wild exploitation reported at the time of writing. Inclusion gate: CVSS 9.4 ≥ 9.0 (PD §2 inclusion gate via the CVSS 9.0–10.0 ENISA EUVD threshold).

CVE Summary Table

CVE Product CVSS EPSS KEV Exploited Patch Source
CVE-2026-42231 n8n (xml2js webhook prototype pollution → Git-node SSH RCE chain) 9.4 n/a No No (no public ITW) 1.123.32 / 2.17.4 / 2.18.1 n8n GHSA-q5f4-99jv-pgg5
CVE-2026-42232 n8n (XML Node Prototype Pollution to RCE) 9.4 n/a No No 1.123.32 / 2.17.4 / 2.18.1 n8n GHSA-hqr4-h3xv-9m3r
CVE-2026-44789 n8n (HTTP Request Node Pagination — prototype pollution to RCE) 9.4 n/a No No 1.123.43 / 2.20.7 / 2.22.1 n8n GHSA-c8xv-5998-g76h
CVE-2026-44790 n8n (Arbitrary File Read via Git Node — file-read primitive) 9.4 n/a No No 1.123.43 / 2.20.7 / 2.22.1 n8n GHSA-57g9-58c2-xjg3
CVE-2026-44791 n8n (XML Node Prototype Pollution Patch Bypass) 9.4 n/a No No 1.123.43 / 2.20.7 / 2.22.1 n8n GHSA-wrwr-h859-xh2r