{"data":{"id":"791119dd-199f-4447-b293-6c0c7a31a463","title":"GHSA-wrwr-h859-xh2r: n8n Has an XML Node Prototype Pollution Patch Bypass","summary":"n8n, a workflow automation tool, has a security flaw in its XML node (a tool for processing XML data) that lets authenticated users bypass a previous security patch and potentially achieve RCE (remote code execution, where an attacker runs commands on a system they don't control) on the n8n server. The vulnerability requires the attacker to have permission to create or modify workflows and works best when combined with other nodes.","solution":"Upgrade to n8n version 1.123.43, 2.20.7, or 2.22.1 or later. If immediate upgrading is not possible, administrators can temporarily limit workflow creation and editing permissions to trusted users only, or disable the XML node by adding `n8n-nodes-base.xml` to the `NODES_EXCLUDE` environment variable (a setting that controls which tools are available). These workarounds do not fully fix the risk and should only be used as short-term measures.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-wrwr-h859-xh2r","publishedAt":"2026-05-14T16:17:49.000Z","cveId":"CVE-2026-44791","cweIds":null,"cvssScore":null,"cvssSeverity":"critical","severity":"critical","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":["n8n@>= 2.0.0-rc.0, < 2.20.7 (fixed: 2.20.7)","n8n@>= 2.21.0, < 2.22.1 (fixed: 2.22.1)","n8n@< 1.123.43 (fixed: 1.123.43)"],"affectedVendors":["LangChain"],"affectedVendorsRaw":["n8n"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-05-14T16:17:49.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality","availability"],"aiComponentTargeted":"framework","llmSpecific":false,"classifierConfidence":0.75,"researchCategory":null,"atlasIds":null}}