CVE-2026-42232 - Vulnerability Analysis
HighCVSS: 8.8Last Updated: May 6, 2026
n8n - Prototype Pollution & Remote Code Execution
Published: May 4, 2026Updated: May 6, 2026Remote Exploitable
Overview
n8n < 1.123.32, 2.17.4, 2.18.1 contains a prototype pollution caused by improper handling in the XML Node, letting authenticated users with workflow modification permissions achieve remote code execution when combined with other nodes, exploit requires authenticated user with workflow modification permissions.
Severity & Score
Severity: High
CVSS Score: 8.8
Impact
Authenticated users can achieve remote code execution by exploiting prototype pollution in XML Node combined with other nodes.
Mitigation
Update to versions 1.123.32, 2.17.4, or 2.18.1 or later.
Related Resources
Details
- CVE ID
- CVE-2026-42232
- Severity
- High
- CVSS Score
- 8.8
- Type
- prototype_pollution
- Status
- confirmed
CWE
- CWE-1321
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H