n8n — Five Critical CVEs Including Prototype Pollution RCE in AI Workflow Platform

AI relevance: n8n is an open-source AI workflow automation platform used to orchestrate LLM agents, MCP tool chains, and multi-step AI pipelines — making these RCE and prototype-pollution flaws directly exploitable against agent infrastructure.

• CVE-2026-42231 (CVSS 9.4) — Prototype pollution via crafted XML payloads in the xml2js library used by n8n's webhook handler. Authenticated users with workflow permissions achieve remote code execution on the host.
• CVE-2026-42232 (CVSS 9.4) — Global prototype pollution via the XML Node. Authenticated workflow editors trigger RCE when chained with nodes that exploit the polluted prototype.
• CVE-2026-44791 (CVSS 9.4) — Bypass for CVE-2026-42232. The original patch did not cover all attack paths through the XML parsing pipeline.
• Two additional critical CVEs in the same advisory round out five n8n patches covering authentication and authorization gaps.
• All five are fixed in n8n versions 1.123.32, 2.17.4, and 2.18.1. Self-hosted instances are the primary attack surface.

Why it matters

AI workflow platforms like n8n sit at the intersection of orchestration and execution — they hold API keys, process user input, and trigger downstream tool calls. Prototype pollution RCE in this tier gives attackers a path to hijack entire AI agent pipelines, not just a single model endpoint. The bypass vulnerability (CVE-2026-44791) shows how rapidly patch gaps can emerge in complex XML parsing stacks.

What to do

• Upgrade self-hosted n8n to 1.123.32, 2.17.4, or 2.18.1 immediately.
• Review workflow permissions — restrict who can create or edit workflows containing XML or webhook nodes.
• Audit n8n logs for anomalous XML payloads sent to webhook endpoints.

Sources:

• Ivanti May 2026 Security Update
• n8n GHSA-q5f4-99jv-pgg5 (CVE-2026-42231)
• n8n GHSA-hqr4-h3xv-9m3r (CVE-2026-42232)
• The Hacker News — Ivanti, Fortinet, SAP, VMware, n8n Patch