CVE-2026-33696 Overview
CVE-2026-33696 is a critical prototype pollution vulnerability in n8n, the open source workflow automation platform. Prior to versions 2.14.1, 2.13.3, and 1.123.27, an authenticated user with permission to create or modify workflows could exploit this vulnerability in the XML and GSuiteAdmin nodes. By supplying crafted parameters as part of node configuration, an attacker could write attacker-controlled values onto Object.prototype, ultimately enabling remote code execution on the n8n instance.
Critical Impact
Authenticated attackers can achieve remote code execution through prototype pollution in workflow node configurations, potentially compromising the entire n8n instance and connected integrations.
Affected Products
- n8n versions prior to 2.14.1
- n8n versions prior to 2.13.3
- n8n versions prior to 1.123.27
Discovery Timeline
- 2026-03-25 - CVE-2026-33696 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33696
Vulnerability Analysis
This vulnerability stems from improper handling of user-supplied input within the XML and GSuiteAdmin nodes of n8n workflows. Prototype pollution is a JavaScript-specific vulnerability class (CWE-1321) that occurs when an application allows modification of the prototype of base objects like Object.prototype. In the context of n8n, the workflow automation platform processes node configurations that can contain complex nested objects. When these configurations are merged or processed without proper sanitization, an attacker can inject special properties like __proto__ or constructor.prototype that pollute the global object prototype.
Once Object.prototype is polluted with attacker-controlled values, subsequent code execution paths that rely on default object properties can be manipulated. In Node.js environments like n8n, this can lead to remote code execution when polluted properties are used in security-sensitive operations such as child process spawning, dynamic code evaluation, or template rendering.
Root Cause
The root cause is insufficient validation and sanitization of nested object properties within node configuration parameters. The XML and GSuiteAdmin nodes fail to properly prevent prototype pollution attacks when processing user-supplied configuration data. This allows attackers to inject malicious property paths that modify the JavaScript object prototype chain.
Attack Vector
The attack requires network access to the n8n instance and valid authentication credentials with workflow creation or modification permissions. An attacker would craft a malicious workflow containing a specially configured XML or GSuiteAdmin node with prototype pollution payloads in the node parameters. When the workflow is saved or executed, the prototype pollution occurs, and subsequent code execution within the n8n process can be hijacked to achieve remote code execution.
The vulnerability is exploited through crafted node configuration parameters that inject properties like __proto__.polluted or constructor.prototype.polluted into the object processing logic. These polluted properties can then influence other parts of the application that check for the presence of certain object properties or use default values from the prototype chain. For detailed technical information, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-33696
Indicators of Compromise
- Unusual workflow configurations containing __proto__, constructor, or prototype keywords in node parameters
- Unexpected modifications to workflow definitions by users with limited permissions
- Anomalous process spawning or network connections originating from the n8n process
- Error logs indicating unexpected object property access or type errors
Detection Strategies
- Monitor workflow creation and modification events for suspicious payload patterns containing prototype pollution keywords
- Implement log analysis rules to detect __proto__ or constructor.prototype strings in workflow configuration data
- Deploy runtime application self-protection (RASP) solutions capable of detecting prototype pollution attempts in Node.js applications
- Review audit logs for workflow changes made by users who shouldn't have those permissions
Monitoring Recommendations
- Enable verbose logging for workflow creation and modification API endpoints
- Configure alerting on child process creation from the n8n service outside normal operational patterns
- Monitor for outbound network connections from the n8n instance to unexpected destinations
- Implement file integrity monitoring on n8n configuration and workflow storage directories
How to Mitigate CVE-2026-33696
Immediate Actions Required
- Upgrade n8n immediately to version 2.14.1, 2.13.3, or 1.123.27 or later
- Audit existing workflows for any suspicious configurations containing prototype pollution payloads
- Review user permissions and restrict workflow creation/modification to trusted administrators only
- Monitor n8n instance logs for any signs of exploitation attempts
Patch Information
The n8n development team has released patched versions that address this prototype pollution vulnerability. Users should upgrade to one of the following versions or later:
- Version 2.14.1 (for 2.14.x branch users)
- Version 2.13.3 (for 2.13.x branch users)
- Version 1.123.27 (for 1.x branch users)
Patch details and changelog are available in the GitHub Security Advisory.
Workarounds
- Limit workflow creation and editing permissions to fully trusted users only until patching is complete
- Disable the XML node by adding n8n-nodes-base.xml to the NODES_EXCLUDE environment variable
- Consider restricting network access to the n8n instance to trusted IP ranges
- Implement additional authentication layers or network segmentation to limit exposure
# Temporary workaround: Disable the vulnerable XML node
# Add to your n8n environment configuration
export NODES_EXCLUDE="n8n-nodes-base.xml"
# Restart n8n service to apply changes
systemctl restart n8n
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
