Skip to main content

Mondoo

Vulnerability Management
Technology
Services

Solutions

Financial Services
Manufacturing
Healthcare

Resources

Blog
Vulnerability Database
Documentation
GitHub

Company

About
Careers
Partners
Contact

Legal

Privacy
Terms
Imprint

© 2026 Mondoo, Inc.

Log in Get Assessment

Vulnerability IntelligenceCVE-2026-42232

CVE-2026-42232

CRITICAL9.4

n8n: XML Node Prototype Pollution to RCE

Published May 4, 2026

Modified 1 weeks ago

Details

n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with permission to create or modify workflows could achieve global prototype pollution via the XML Node leading to RCE when combined with other nodes exploiting the prototype pollution. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.

References

https://github.com/n8n-io/n8n/security/advisories/GHSA-hqr4-h3xv-9m3r

https://www.cve.org/CVERecord?id=CVE-2026-42232

CVSS Analysis

CVSS v4.0

9.4

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Attack Requirements

NoneAT:N

Privileges Required

LowPR:L

User Interaction

NoneUI:N

Vulnerable System

Vuln. Confidentiality

HighVC:H

Vuln. Integrity

HighVI:H

Vuln. Availability

HighVA:H

Subsequent System

Subseq. Confidentiality

HighSC:H

Subseq. Integrity

HighSI:H

Subseq. Availability

LowSA:L

9.4/CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L

Weakness Type (CWE)

Input Validation

Prototype Pollution

Ecosystems

Timeline

PublishedMay 4, 2026

ModifiedMay 5, 2026

CVE-2026-42232 | Mondoo Vulnerability Intelligence