Home · Live brief · Daily brief 2026-05-19
n8n prototype-pollution chain (CVE-2026-42231 et al.): authenticated-to-RCE on a workflow-automation platform that Swiss/EU agencies increasingly stand up as their integration bus
Entities: NCSC-CH
Part of run 2026-05-19-2505c918 (intel · Claude Opus 4.7)
n8n is an open-source / fair-code workflow automation platform — visual flow editor, hundreds of "nodes" wrapping SaaS APIs, file processing, code execution, Git operations and HTTP calls — increasingly deployed by Swiss/EU public-sector teams as a low-code integration bus, by federal data offices for pipeline orchestration, and by university research groups as a lab automation glue layer. n8n disclosed five Critical CVEs at CVSS 9.4 each on 2026-05-18, split across two patch trains: the primary chain (-42231 / -42232) and a follow-on cluster (-44789 / -44790 / -44791) addressing additional prototype-pollution and file-read primitives (n8n GHSA-q5f4-99jv-pgg5, 2026-05-18; The Hacker News, 2026-05-18).
Vulnerability class and component. The root flaw, CVE-2026-42231 (GHSA-q5f4-99jv-pgg5, CWE-1321 Prototype Pollution), is a prototype-pollution primitive reachable via crafted XML supplied to the xml2js library used by n8n's webhook handler to parse XML request bodies. By embedding __proto__ / constructor.prototype payloads into the parsed XML, an authenticated user with permission to create or modify workflows can pollute the global JavaScript object prototype on the n8n process. The advisory's stated chain pivots into the n8n Git node's SSH operations: once the prototype is polluted, the Git node's SSH invocation path consumes attacker-controlled values and achieves RCE on the n8n host. CVE-2026-42232 (GHSA-hqr4-h3xv-9m3r, "XML Node Prototype Pollution to RCE") is a companion XML-Node prototype-pollution flaw exercising the same primitive in a second sink. The follow-on advisories address additional sinks: CVE-2026-44789 (GHSA-c8xv-5998-g76h) is "HTTP Request Node Pagination Prototype Pollution to RCE" — a second prototype-pollution path through the pagination logic; CVE-2026-44790 (GHSA-57g9-58c2-xjg3) is "Arbitrary File Read via Git Node" — a separate file-read primitive distinct from the RCE chain; CVE-2026-44791 (GHSA-wrwr-h859-xh2r) is "XML Node Prototype Pollution Patch Bypass" — a regression / bypass of the initial xml2js fix. The vendor's published CVSS vector for CVE-2026-42231 is CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H = 9.4 — network attack, low complexity, low privileges required (a workflow editor account), no user interaction, high confidentiality / integrity / availability impact on both the n8n host and subsequent systems.
Exploitation prerequisites. Authenticated access to the n8n instance at the workflow-editor role or higher, plus reachability to a webhook endpoint that accepts XML content-type bodies. n8n self-hosted deployments commonly expose webhook endpoints to the public internet (the Webhook Trigger node is the canonical way to ingest events) — so any compromised editor credential, or any internal user account on an unrestricted n8n instance, is the entry point. Patched versions: the primary chain (-42231, -42232) is fixed in n8n 1.123.32 / 2.17.4 / 2.18.1; the follow-on cluster (-44789, -44790, -44791) is fixed in 1.123.43 / 2.20.7 / 2.22.1. Operators must apply the later branch train to cover the full chain; applying only the initial fixes leaves the pagination prototype-pollution path, the Git-node arbitrary file read, and the XML-node patch-bypass exposed. Upgrade is the only remediation; no workaround.
Kill chain and ATT&CK mapping. T1190 Exploit Public-Facing Application — webhook handler as the initial-access exposure for the prototype pollution. T1059.007 Command and Scripting Interpreter: JavaScript — prototype-pollution primitive lives in the JS runtime. T1068 Exploitation for Privilege Escalation — pollution-to-Git-SSH-chain crosses from editor-role workflow context to host-process command execution. T1611 Escape to Host is relevant for the (common) Docker-deployed n8n: RCE on the n8n container can pivot to host depending on socket / mount exposure.
Hunt and detection concepts. Inspect n8n webhook HTTP request bodies (or upstream WAF logs) for XML content-type payloads containing __proto__, constructor.prototype, or prototype literal strings as XML element / attribute names — most legitimate XML payloads do not contain those tokens. From an EDR perspective, the high-confidence signal is the n8n process (Node.js node parent) spawning unexpected ssh or git child processes outside of approved Git node workflows; correlate with the user identity that triggered the workflow at the same timestamp. Container deployments should monitor n8n container egress to unfamiliar SSH hosts and unexpected ssh-keygen / ~/.ssh/known_hosts modifications. n8n's own audit log retains workflow create/modify events for the editor account — pivot from any spike in workflow modifications back to the originating account.
Hardening. Apply the vendor patch (n8n 1.123.32 / 2.17.4 / 2.18.1) — that is the only remediation. Beyond patch: enforce SSO / MFA on the n8n editor role; restrict workflow creation/modification to a small administrative group; place the n8n webhook surface behind an authenticated reverse proxy with WAF coverage for prototype-pollution literals; disable the Git node if not required; for container deployments, run n8n as a non-root user with no Docker socket access and a read-only root filesystem.
Why this matters for Swiss/EU public-sector defenders. n8n is a fast-growing automation substrate inside agencies that have replaced bespoke ETL with low-code orchestration. A single editor-role credential — typically a federated SSO account — yields RCE on the host that holds connection strings to every system the n8n instance integrates with: SharePoint, M365 Graph, Salesforce, internal databases, GitHub Actions tokens, OpenAI / Azure OpenAI keys. Expect downstream national-CERT advisories (ANSSI / BSI / NCSC-CH) to amplify the patch urgency in the coming days.
“n8n addresses five critical prototype pollution and injection flaws (CVE-2026-42231/42232/44791/44789/44790, all CVSS 9.4)” — The Hacker News
“An authenticated user with permission to create or modify workflows could exploit this to pollute the JavaScript object prototype and, by chaining the pollution with the Git node's SSH operations, achieve remote code execution on the n8n host. CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H = 9.4” — n8n GHSA-q5f4-99jv-pgg5