GHSA-wrwr-h859-xh2r: n8n Has an XML Node Prototype Pollution Patch Bypass
Summary
n8n, a workflow automation tool, has a security flaw in its XML node (a tool for processing XML data) that lets authenticated users bypass a previous security patch and potentially achieve RCE (remote code execution, where an attacker runs commands on a system they don't control) on the n8n server. The vulnerability requires the attacker to have permission to create or modify workflows and works best when combined with other nodes.
Solution / Mitigation
Upgrade to n8n version 1.123.43, 2.20.7, or 2.22.1 or later. If immediate upgrading is not possible, administrators can temporarily limit workflow creation and editing permissions to trusted users only, or disable the XML node by adding `n8n-nodes-base.xml` to the `NODES_EXCLUDE` environment variable (a setting that controls which tools are available). These workarounds do not fully fix the risk and should only be used as short-term measures.
Vulnerability Details
EPSS: 0.0%
Yes
May 14, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-wrwr-h859-xh2r
First tracked: May 14, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 75%