GHSA-q5f4-99jv-pgg5: n8n has Prototype Pollution in XML Webhook Body Parser that Leads to RCE
Summary
n8n had a vulnerability in its XML webhook parser caused by the `xml2js` library that allowed prototype pollution (a type of attack where an attacker modifies a JavaScript object's base properties to affect all objects). An authenticated user with workflow creation permissions could exploit this flaw and combine it with the Git node's SSH operations to achieve RCE (remote code execution, where an attacker runs commands on a system they don't own).
Solution / Mitigation
The issue has been fixed in n8n versions 1.123.32, 2.17.4, and 2.18.1. Users should upgrade to one of these versions or later. If upgrading is not immediately possible, administrators should limit workflow creation and editing permissions to fully trusted users only, though this is only a temporary mitigation and does not fully remediate the risk.
Vulnerability Details
EPSS: 0.0%
Yes
April 29, 2026
Classification
Taxonomy References
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-q5f4-99jv-pgg5
First tracked: April 29, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 85%