CVE-2026-42231: n8n has Prototype Pollution in XML Webhook Body Parser that Leads to RCE

April 29, 2026 (updated May 8, 2026)

A flaw in the xml2js library used to parse XML request bodies in n8n’s webhook handler allowed prototype pollution via a crafted XML payload. An authenticated user with permission to create or modify workflows could exploit this to pollute the JavaScript object prototype and, by chaining the pollution with the Git node’s SSH operations, achieve remote code execution on the n8n host.

References

github.com/advisories/GHSA-q5f4-99jv-pgg5
github.com/n8n-io/n8n
github.com/n8n-io/n8n/security/advisories/GHSA-q5f4-99jv-pgg5
nvd.nist.gov/vuln/detail/CVE-2026-42231

Code Behaviors & Features

Detect and mitigate CVE-2026-42231 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →