{"data":{"id":"535339f8-3df0-4507-839e-d14435a1cd73","title":"GHSA-q5f4-99jv-pgg5: n8n has Prototype Pollution in XML Webhook Body Parser that Leads to RCE","summary":"n8n had a vulnerability in its XML webhook parser caused by the `xml2js` library that allowed prototype pollution (a type of attack where an attacker modifies a JavaScript object's base properties to affect all objects). An authenticated user with workflow creation permissions could exploit this flaw and combine it with the Git node's SSH operations to achieve RCE (remote code execution, where an attacker runs commands on a system they don't own).","solution":"The issue has been fixed in n8n versions 1.123.32, 2.17.4, and 2.18.1. Users should upgrade to one of these versions or later. If upgrading is not immediately possible, administrators should limit workflow creation and editing permissions to fully trusted users only, though this is only a temporary mitigation and does not fully remediate the risk.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-q5f4-99jv-pgg5","publishedAt":"2026-04-29T21:25:02.000Z","cveId":"CVE-2026-42231","cweIds":null,"cvssScore":null,"cvssSeverity":"critical","severity":"critical","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":["n8n@>= 2.17.0, < 2.17.4 (fixed: 2.17.4)","n8n@>= 2.18.0, < 2.18.1 (fixed: 2.18.1)","n8n@< 1.123.32 (fixed: 1.123.32)"],"affectedVendors":["LangChain"],"affectedVendorsRaw":["n8n"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-04-29T21:25:02.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality","availability"],"aiComponentTargeted":"framework","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":["AML.T0010"]}}