ctipilot.ch

n8n XML Node injection — companion amplifier to CVE-2026-42231 prototype-pollution chain

cve · CVE-2026-44791

Coverage timeline
2
first 2026-05-19 → last 2026-05-19
Entries
2
1 distinct days
Sources cited
10
3 hosts
Sections touched
2
deep-dive, trending-vulnerabilities
Co-occurring entities
5
see Related entities below

Story timeline

  1. 2026-05-19n8n prototype-pollution chain (CVE-2026-42231 et al.): authenticated-to-RCE on a workflow-automation platform that Swiss/EU agencies increasingly stand up as their integration bus
    deep-diven8n prototype-pollution chain (CVE-2026-42231 et al.): authenticated-to-RCE on a workflow-automation platform that Swiss/EU agencies increasingly stand up as
  2. 2026-05-19CVE-2026-42231 / -42232 / -44789 / -44790 / -44791 — n8n self-hosted automation: chained prototype-pollution and injection flaws enabling authenticated-to-RCE plus a Git-node arbitrary file read
    trending-vulnerabilitiesCVE-2026-42231 / -42232 / -44789 / -44790 / -44791 — n8n self-hosted automation: chained prototype-pollution and injection flaws enabling authenticated-to-RCE

Where this entity is cited

  • trending-vulnerabilities1
  • deep-dive1

Source distribution

  • github.com5 (50%)
  • attack.mitre.org4 (40%)
  • thehackernews.com1 (10%)

Related entities

Entries about n8n XML Node injection — companion amplifier to CVE-2026-42231 prototype-pollution chain (2)

2026-05-19 · view entry permalink →

n8n prototype-pollution chain (CVE-2026-42231 et al.): authenticated-to-RCE on a workflow-automation platform that Swiss/EU agencies increasingly stand up as their integration bus

notable vulnerability discovered 2026-05-19 05:00 UTC deep dive

n8n is an open-source / fair-code workflow automation platform — visual flow editor, hundreds of "nodes" wrapping SaaS APIs, file processing, code execution, Git operations and HTTP calls — increasingly deployed by Swiss/EU public-sector teams as a low-code integration bus, by federal data offices for pipeline orchestration, and by university research groups as a lab automation glue layer. n8n disclosed five Critical CVEs at CVSS 9.4 each on 2026-05-18, split across two patch trains: the primary chain (-42231 / -42232) and a follow-on cluster (-44789 / -44790 / -44791) addressing additional prototype-pollution and file-read primitives (n8n GHSA-q5f4-99jv-pgg5, 2026-05-18; The Hacker News, 2026-05-18).

Vulnerability class and component. The root flaw, CVE-2026-42231 (GHSA-q5f4-99jv-pgg5, CWE-1321 Prototype Pollution), is a prototype-pollution primitive reachable via crafted XML supplied to the xml2js library used by n8n's webhook handler to parse XML request bodies. By embedding __proto__ / constructor.prototype payloads into the parsed XML, an authenticated user with permission to create or modify workflows can pollute the global JavaScript object prototype on the n8n process. The advisory's stated chain pivots into the n8n Git node's SSH operations: once the prototype is polluted, the Git node's SSH invocation path consumes attacker-controlled values and achieves RCE on the n8n host. CVE-2026-42232 (GHSA-hqr4-h3xv-9m3r, "XML Node Prototype Pollution to RCE") is a companion XML-Node prototype-pollution flaw exercising the same primitive in a second sink. The follow-on advisories address additional sinks: CVE-2026-44789 (GHSA-c8xv-5998-g76h) is "HTTP Request Node Pagination Prototype Pollution to RCE" — a second prototype-pollution path through the pagination logic; CVE-2026-44790 (GHSA-57g9-58c2-xjg3) is "Arbitrary File Read via Git Node" — a separate file-read primitive distinct from the RCE chain; CVE-2026-44791 (GHSA-wrwr-h859-xh2r) is "XML Node Prototype Pollution Patch Bypass" — a regression / bypass of the initial xml2js fix. The vendor's published CVSS vector for CVE-2026-42231 is CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H = 9.4 — network attack, low complexity, low privileges required (a workflow editor account), no user interaction, high confidentiality / integrity / availability impact on both the n8n host and subsequent systems.

Exploitation prerequisites. Authenticated access to the n8n instance at the workflow-editor role or higher, plus reachability to a webhook endpoint that accepts XML content-type bodies. n8n self-hosted deployments commonly expose webhook endpoints to the public internet (the Webhook Trigger node is the canonical way to ingest events) — so any compromised editor credential, or any internal user account on an unrestricted n8n instance, is the entry point. Patched versions: the primary chain (-42231, -42232) is fixed in n8n 1.123.32 / 2.17.4 / 2.18.1; the follow-on cluster (-44789, -44790, -44791) is fixed in 1.123.43 / 2.20.7 / 2.22.1. Operators must apply the later branch train to cover the full chain; applying only the initial fixes leaves the pagination prototype-pollution path, the Git-node arbitrary file read, and the XML-node patch-bypass exposed. Upgrade is the only remediation; no workaround.

Kill chain and ATT&CK mapping. T1190 Exploit Public-Facing Application — webhook handler as the initial-access exposure for the prototype pollution. T1059.007 Command and Scripting Interpreter: JavaScript — prototype-pollution primitive lives in the JS runtime. T1068 Exploitation for Privilege Escalation — pollution-to-Git-SSH-chain crosses from editor-role workflow context to host-process command execution. T1611 Escape to Host is relevant for the (common) Docker-deployed n8n: RCE on the n8n container can pivot to host depending on socket / mount exposure.

Hunt and detection concepts. Inspect n8n webhook HTTP request bodies (or upstream WAF logs) for XML content-type payloads containing __proto__, constructor.prototype, or prototype literal strings as XML element / attribute names — most legitimate XML payloads do not contain those tokens. From an EDR perspective, the high-confidence signal is the n8n process (Node.js node parent) spawning unexpected ssh or git child processes outside of approved Git node workflows; correlate with the user identity that triggered the workflow at the same timestamp. Container deployments should monitor n8n container egress to unfamiliar SSH hosts and unexpected ssh-keygen / ~/.ssh/known_hosts modifications. n8n's own audit log retains workflow create/modify events for the editor account — pivot from any spike in workflow modifications back to the originating account.

Hardening. Apply the vendor patch (n8n 1.123.32 / 2.17.4 / 2.18.1) — that is the only remediation. Beyond patch: enforce SSO / MFA on the n8n editor role; restrict workflow creation/modification to a small administrative group; place the n8n webhook surface behind an authenticated reverse proxy with WAF coverage for prototype-pollution literals; disable the Git node if not required; for container deployments, run n8n as a non-root user with no Docker socket access and a read-only root filesystem.

Why this matters for Swiss/EU public-sector defenders. n8n is a fast-growing automation substrate inside agencies that have replaced bespoke ETL with low-code orchestration. A single editor-role credential — typically a federated SSO account — yields RCE on the host that holds connection strings to every system the n8n instance integrates with: SharePoint, M365 Graph, Salesforce, internal databases, GitHub Actions tokens, OpenAI / Azure OpenAI keys. Expect downstream national-CERT advisories (ANSSI / BSI / NCSC-CH) to amplify the patch urgency in the coming days.

n8n addresses five critical prototype pollution and injection flaws (CVE-2026-42231/42232/44791/44789/44790, all CVSS 9.4)

The Hacker News

An authenticated user with permission to create or modify workflows could exploit this to pollute the JavaScript object prototype and, by chaining the pollution with the Git node's SSH operations, achieve remote code execution on the n8n host. CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H = 9.4

n8n GHSA-q5f4-99jv-pgg5
vulnerabilities rce patch-available supply-chain cloud global europe CVE-2026-42231 CVE-2026-42232 CVE-2026-44789 CVE-2026-44790 CVE-2026-44791

2026-05-19 · view entry permalink →

CVE-2026-42231 / -42232 / -44789 / -44790 / -44791 — n8n self-hosted automation: chained prototype-pollution and injection flaws enabling authenticated-to-RCE plus a Git-node arbitrary file read

high vulnerability discovered 2026-05-19 05:00 UTC

n8n published five Critical security advisories on 2026-05-18, two on 2026-05-18 (-42231, -42232) and a follow-on cluster of three (-44789, -44790, -44791) released against later branches (n8n GHSA-q5f4-99jv-pgg5, 2026-05-18; The Hacker News, 2026-05-18). CVE-2026-42231 (CVSS 4.0: 9.4, CWE-1321) is the root cause: a prototype-pollution primitive reachable via crafted XML supplied to the xml2js library used by the n8n webhook handler. Once the global JavaScript object prototype is polluted, the chain pivots into the n8n Git node's SSH operations to achieve RCE on the n8n host by an authenticated user with workflow create / modify permission. CVE-2026-42232 (GHSA-hqr4-h3xv-9m3r, "XML Node Prototype Pollution to RCE") is a companion XML-Node prototype-pollution flaw exercising the same primitive in a second sink. The follow-on advisories: CVE-2026-44789 (GHSA-c8xv-5998-g76h, "HTTP Request Node Pagination Prototype Pollution to RCE"); CVE-2026-44790 (GHSA-57g9-58c2-xjg3, "Arbitrary File Read via Git Node" — a file-read primitive, not the SSH RCE chain); CVE-2026-44791 (GHSA-wrwr-h859-xh2r, "XML Node Prototype Pollution Patch Bypass"). Patched versions split between two branch trains: -42231 and -42232 in n8n 1.123.32 / 2.17.4 / 2.18.1; -44789, -44790 and -44791 in 1.123.43 / 2.20.7 / 2.22.1. No in-the-wild exploitation reported at the time of writing. Inclusion gate: CVSS 9.4 ≥ 9.0 (PD §2 inclusion gate via the CVSS 9.0–10.0 ENISA EUVD threshold).

CVE Summary Table

CVE Product CVSS EPSS KEV Exploited Patch Source
CVE-2026-42231 n8n (xml2js webhook prototype pollution → Git-node SSH RCE chain) 9.4 n/a No No (no public ITW) 1.123.32 / 2.17.4 / 2.18.1 n8n GHSA-q5f4-99jv-pgg5
CVE-2026-42232 n8n (XML Node Prototype Pollution to RCE) 9.4 n/a No No 1.123.32 / 2.17.4 / 2.18.1 n8n GHSA-hqr4-h3xv-9m3r
CVE-2026-44789 n8n (HTTP Request Node Pagination — prototype pollution to RCE) 9.4 n/a No No 1.123.43 / 2.20.7 / 2.22.1 n8n GHSA-c8xv-5998-g76h
CVE-2026-44790 n8n (Arbitrary File Read via Git Node — file-read primitive) 9.4 n/a No No 1.123.43 / 2.20.7 / 2.22.1 n8n GHSA-57g9-58c2-xjg3
CVE-2026-44791 n8n (XML Node Prototype Pollution Patch Bypass) 9.4 n/a No No 1.123.43 / 2.20.7 / 2.22.1 n8n GHSA-wrwr-h859-xh2r

n8n addresses five critical prototype pollution and injection flaws (CVE-2026-42231/42232/44791/44789/44790, all CVSS 9.4)

The Hacker News

An authenticated user with permission to create or modify workflows could exploit this to pollute the JavaScript object prototype and, by chaining the pollution with the Git node's SSH operations, achieve remote code execution on the n8n host

n8n GHSA-q5f4-99jv-pgg5
vulnerabilities rce patch-available global europe CVE-2026-42231 CVE-2026-42232 CVE-2026-44789 CVE-2026-44790 CVE-2026-44791