Home / Vulnerability Intelligence / CVE-2026-42231

CVE-2026-42231 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: May 6, 2026

n8n - Remote Code Execution

Published: May 4, 2026Updated: May 6, 2026Remote Exploitable

Overview

n8n < 1.123.32, 2.17.4, 2.18.1 contains a prototype pollution vulnerability caused by flawed xml2js XML parsing in webhook handler, letting authenticated users with workflow permissions achieve remote code execution via Git node SSH operations.

Severity & Score

Severity: High

CVSS Score: 8.8

Impact

Authenticated users with workflow permissions can execute arbitrary code remotely on the n8n host, leading to full system compromise.

Mitigation

Update to versions 1.123.32, 2.17.4, 2.18.1 or later.

References

https://github.com/n8n-io/n8n/security/advisories/GHSA-q5f4-99jv-pgg5

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-42231
Severity: High
CVSS Score: 8.8
Type: prototype_pollution
Status: confirmed

CWE

CWE-1321

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H