CVE-2026-33696
published 2026-03-25CVE-2026-33696: n8n is an open source workflow automation platform. Prior to versions 2.14.1, 2.13.3, and 1.123.27, an authenticated user with permission to create or modify…
PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.77%
50.8th percentile
n8n is an open source workflow automation platform. Prior to versions 2.14.1, 2.13.3, and 1.123.27, an authenticated user with permission to create or modify workflows could exploit a prototype pollution vulnerability in the XML and the GSuiteAdmin nodes. By supplying a crafted parameters as part of node configuration, an attacker could write attacker-controlled values onto `Object.prototype`. An attacker could use this prototype pollution to achieve remote code execution on the n8n instance. The issue has been fixed in n8n versions 2.14.1, 2.13.3, and 1.123.27. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, and/or disable the XML node by adding `n8n-nodes-base.xml` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| n8n-io | n8n | < 1.123.27 | 1.123.27 |
| n8n-io | n8n | — | — |
| n8n-io | n8n | — | — |
| n8n | n8n | < 1.123.27 | 1.123.27 |
| n8n | n8n | — | — |
| n8n | n8n | >= 0 < 1.123.27 | 1.123.27 |
| n8n | n8n | >= 2.0.0 < 2.13.3 | 2.13.3 |
| n8n | n8n | >= 2.0.0-rc.0 < 2.13.3 | 2.13.3 |
| n8n | n8n | >= 2.14.0 < 2.14.1 | 2.14.1 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.4CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
n8n: Prototype Pollution in XML and GSuiteAdmin node parameters lead to RCE
ghsa·2026-03-26
CVE-2026-33696 [CRITICAL] CWE-1321 n8n: Prototype Pollution in XML and GSuiteAdmin node parameters lead to RCE
n8n: Prototype Pollution in XML and GSuiteAdmin node parameters lead to RCE
## Impact
An authenticated user with permission to create or modify workflows could exploit a prototype pollution vulnerability in the GSuiteAdmin node. By supplying a crafted parameter as part of node configuration, an attacker could write attacker-controlled values onto `Object.prototype`. An attacker could use this prototype pollution to achieve remote code execution on the n8n instance.
## Patches
The issue has been fixed in n8n versions 2.14.1, 2.13.3, and 1.123.27. Users should upgrade to one of these versions or later to remediate the vulnerability.
## Workarounds
If upgrading is not immediately possible, administrators should consider the following temporary mitigations:
- Limit workflow creation and edi
OSV
n8n: Prototype Pollution in XML and GSuiteAdmin node parameters lead to RCE
osv·2026-03-26
CVE-2026-33696 [CRITICAL] n8n: Prototype Pollution in XML and GSuiteAdmin node parameters lead to RCE
n8n: Prototype Pollution in XML and GSuiteAdmin node parameters lead to RCE
## Impact
An authenticated user with permission to create or modify workflows could exploit a prototype pollution vulnerability in the GSuiteAdmin node. By supplying a crafted parameter as part of node configuration, an attacker could write attacker-controlled values onto `Object.prototype`. An attacker could use this prototype pollution to achieve remote code execution on the n8n instance.
## Patches
The issue has been fixed in n8n versions 2.14.1, 2.13.3, and 1.123.27. Users should upgrade to one of these versions or later to remediate the vulnerability.
## Workarounds
If upgrading is not immediately possible, administrators should consider the following temporary mitigations:
- Limit workflow creation and edi
No detection rules found.
No public exploits indexed.
Hackernews
⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More
blogs_hackernews·2026-04-06
⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More
This week had real hits. The key software got tampered with. Active bugs showed up in the tools people use every day. Some attacks didn’t even need much effort because the path was already there.
One weak spot now spreads wider than before. What starts small can reach a lot of systems fast. New bugs, faster use, less time to react.
That’s this week. Read through it.
## ⚡ Threat of the Week
Axios npm Package Compromised by N. Korean Hackers —Threat actors with ties to North Korea seized control of the npm account belonging to the lead m
Wiz
CVE-2026-33696 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.1
CVE-2026-33696 [MEDIUM] CVE-2026-33696 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33696 :
NixOS vulnerability analysis and mitigation
Object.prototype
n8n-nodes-base.xml
NODES_EXCLUDE
Source : NVD
## 9.4
Score
Published March 25, 2026
Severity CRITICAL
CNA Score 9.4
Affected Technologies
NixOS
n8n
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 55.8
Exploitation Probability (EPSS) 0.3
Affected packages and libraries
n8n
Sources
NVD
npm Severity CRITICAL Has Fix Added at: Mar 29, 2026
Nix Severity HIGH Has Fix Added at: Mar 29, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related NixOS vulnerabilities:
CVE ID
Severity
Score
Technologie
2026-03-25
Published