CVE-2026-42231

HIGH LAB

n8n: Prototype Pollution in XML Webhook Body Parser Leads to RCE

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-42231. PoCs published by rudSarkar.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-42231, demonstrating XML prototype pollution in n8n leading to RCE via Git node manipulation. The PoC includes detailed technical analysis, Docker setup, and exploit scripts.

Description

n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the xml2js library used to parse XML request bodies in n8n's webhook handler allowed prototype pollution via a crafted XML payload. An authenticated user with permission to create or modify workflows could exploit this to pollute the JavaScript object prototype and, by chaining the pollution with the Git node's SSH operations, achieve remote code execution on the n8n host. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.

Exploits (1)

nomisec WORKING POC

by rudSarkar · poc

https://github.com/rudSarkar/CVE-2026-42231

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-42231, demonstrating XML prototype pollution in n8n leading to RCE via Git node manipulation. The PoC includes detailed technical analysis, Docker setup, and exploit scripts.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: n8n < 1.123.32 / < 2.17.4 / < 2.18.1

No auth needed

Prerequisites: public Webhook trigger with XML content type · Git node performing SSH operations · n8n version < 1.123.32

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 07, 2026 Full analysis →

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/n8n-io/n8n/security/advisories/GHSA-q5f4-99jv-pgg5

Scores

CVSS v3 8.8

EPSS 0.0030

EPSS Percentile 53.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Lab Environment

COMMUNITY

Community Lab

docker pull n8nio/n8n:1.123.22

docker pull n8n-proto-pollution-poc:latest

https://github.com/rudSarkar/CVE-2026-42231

View in Library

Details

CWE

CWE-1321

Status published

Products (8)

n8n/n8n 2.18.0

n8n/n8n < 1.123.32

n8n-io/n8n < 1.123.32

n8n-io/n8n >= 2.17.0, < 2.17.4

n8n-io/n8n >= 2.18.0, < 2.18.1

npm/n8n 0 - 1.123.32npm

npm/n8n 2.17.0 - 2.17.4npm

npm/n8n 2.18.0 - 2.18.1npm

Published May 04, 2026

Tracked Since May 05, 2026