Multiple Vulnerabilities in n8n Platform

Background

n8n has released security updates to address multiple vulnerabilities affecting its open-source workflow automation platform. Three of these are Prototype Pollution vulnerabilities — identified in the xml2js library (CVE-2026-42231), the Extensible Markup Language (XML) node (CVE-2026-42232), and the HyperText Transfer Protocol (HTTP) Request node (CVE-2026-44789). A Patch Bypass vulnerability (CVE-2026-44791) was found to circumvent the fix previously released for CVE-2026-42232, implying that systems  previously patched may still be vulnerable. Lastly, an Improper Input Validation vulnerability (CVE-2026-44790) in the Git node's Push operation could allow an attacker to read sensitive files from the server.

These vulnerabilities have a Common Vulnerability Scoring System (CVSS v4.0) score of 9.4 out of 10 respectively.

Impact

Successful exploitation of these vulnerabilities could lead to the following:

• CVE-2026-42231: An authenticated user with permission to create or modify workflows could exploit this vulnerability to pollute the JavaScript object prototype, potentially leading to Remote Code Execution (RCE) on the n8n host.

• CVE-2026-42232: An authenticated user with permission to create or modify workflows could achieve global prototype pollution via the XML node, which when combined with other nodes, could lead to RCE on the n8n host.

• CVE-2026-44791: An authenticated user with permission to create or modify workflows could bypass the patch previously released for CVE-2026-42232 in the XML node, which when combined with other nodes, could lead to RCE on the n8n host.

• CVE-2026-44790: An authenticated user with permission to create or modify workflows could inject Command Line Interface (CLI) flags into the Git node's Push operation, allowing an attacker to read arbitrary files from the n8n server and potentially leading to full system compromise.

• CVE-2026-44789: An authenticated user with permission to create or modify workflows could achieve global prototype pollution via improper validation of a user-supplied parameter in the HyperText Transfer Protocol (HTTP) Request node, which when combined with other techniques, could lead to RCE on the n8n host.

Affected Products

These vulnerabilities affect the following n8n Platform:

For CVE-2026-42231 & CVE-2026-42232:

• n8n package (npm) running versions prior to 1.123.32, 2.17.4, and 2.18.1

For CVE-2026-44791, CVE-2026-44790 & CVE-2026-44789:

• n8n package (npm) running versions prior to 1.123.43, 2.22.1, and 2.20.7.

Mitigation

Users and administrators of affected products are advised to update to the latest versions immediately.

If immediate patching is not feasible, administrators are advised to limit workflow creation and editing permissions to fully trusted users only. In addition, the following workarounds may be considered based on the specific CVEs applicable to your environment:

For CVE-2026-42232 and CVE-2026-44791, disable the XML node by adding n8n-nodes-base.xml to the NODES_EXCLUDE environment variable.

For CVE-2026-44790, disable the Git node by adding n8n-nodes-base.git to the NODES_EXCLUDE environment variable.

For CVE-2026-44789, disable the HyperText Transfer Protocol (HTTP) Request node by adding n8n-nodes-base.httpRequest to the NODES_EXCLUDE environment variable.

References

https://github.com/n8n-io/n8n/security/advisories/GHSA-q5f4-99jv-pgg5

https://github.com/n8n-io/n8n/security/advisories/GHSA-hqr4-h3xv-9m3r

https://github.com/n8n-io/n8n/security/advisories/GHSA-wrwr-h859-xh2r

https://github.com/n8n-io/n8n/security/advisories/GHSA-57g9-58c2-xjg3

https://github.com/n8n-io/n8n/security/advisories/GHSA-c8xv-5998-g76h

https://thehackernews.com/2026/05/ivanti-fortinet-sap-vmware-n8n-patch.html