External risk intelligence

Attacker can take control of n8n with existing access, risking customer data and service disruption.

CVE advisorySeverity: CRITICAL (CVSS 9.4)

CVE-2026-42232

An internal attacker with workflow access can compromise the n8n platform by submitting malicious data. This allows them to run unauthorized commands to gain full control of the server, potentially exposing sensitive business data and privileged API keys.

2Halo Surface Signal

N8n

before 1.123.322.17.0 to before 2.17.42.18.0

External exposure likelihood

Halo Surface Signal score for CVE-2026-42232

The vulnerability requires valid authentication and specific workflow editing permissions within the n8n platform. While the service may be accessible via the web, this flaw is not reachable via unauthenticated public internet requests and remains protected by application-level access controls, making direct internet-based exploitation unlikely.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

A security flaw in n8n, an automation platform, allows an authenticated user to potentially execute arbitrary code. This happens when a user with workflow editing privileges exploits a vulnerability in the XML Node, leading to a broader system compromise. Teams should pay attention because this could impact sensitive automated processes and data.

  • Compromise of sensitive data or systems.
  • Affects authenticated users with specific permissions.
  • Remote code execution is possible.

Attack Path

How an attacker could exploit the issue

An authenticated n8n user can abuse a prototype pollution flaw in the XML Node to achieve Remote Code Execution. By crafting a malicious XML payload, this user can alter the application's global properties, enabling them to then chain this with other nodes to execute arbitrary code on the server.

  • Requires authenticated user.
  • Targets XML Node.
  • Chain with other nodes.

Live Threat

Current exploitation, exposure, and threat context

This CVE involves prototype pollution leading to RCE, but requires an authenticated user with specific permissions to exploit. Attackers generally favor vulnerabilities that can be exploited remotely without authentication or prior access. While this vulnerability could be chained for significant impact once inside a network, the initial access requirement makes it less attractive for broad, opportunistic attacks.

  • Exploitation requires authentication.
  • No public exploit code observed.
  • KEV signals are absent.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching n8n instances to versions 1.123.32, 2.17.4, or 2.18.1 to address the critical remote code execution vulnerability. If immediate patching is not feasible, implement strict access controls and monitor for suspicious workflow modifications or unexpected process behavior.

  • Upgrade n8n to fixed versions.
  • Restrict workflow editing permissions.
  • Monitor for anomalous activity.

Frequently asked questions

What is n8n and what is it used for?

n8n is an open-source platform designed for workflow automation. It enables users to connect various applications and services to automate repetitive tasks and processes, streamlining operations for businesses.

What type of weakness does CVE-2026-42232 represent in n8n?

CVE-2026-42232 is a prototype pollution vulnerability (CWE-1321) within n8n's XML Node. This weakness allows an authenticated user to modify global properties of the application, which can then be exploited to execute arbitrary code.

How can an attacker trigger the vulnerability in n8n?

An attacker needs to be an authenticated user with permissions to create or modify workflows. They can then exploit the vulnerability by using the XML Node, potentially in conjunction with other nodes, to achieve code execution.

Who should be concerned about this n8n vulnerability?

Technical teams managing n8n instances should be concerned. The Halo Surface Signal indicates this vulnerability is classified as external due to its network-accessible attack vector, meaning it could be targeted by attackers if proper security measures are not in place.

What is the first step to respond to this CVE?

The primary action is to update n8n to a patched version: 1.123.32, 2.17.4, or 2.18.1. If immediate upgrading isn't possible, enhancing access controls and closely monitoring workflow changes for unusual activity are recommended immediate steps.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified