Platform
nodejs
Component
n8n
Fixed in
1.123.28
2.0.1
2.14.1
2.14.1
CVE-2026-33696 describes a critical Remote Code Execution (RCE) vulnerability discovered in n8n, a workflow automation platform. An authenticated user with workflow creation/modification permissions can exploit this prototype pollution flaw to execute arbitrary code on the server. This vulnerability affects versions of n8n up to and including 2.14.0, and a patch is available in versions 2.14.1, 2.13.3, and 1.123.27.
The impact of CVE-2026-33696 is severe. Successful exploitation allows an attacker to achieve remote code execution on the n8n instance. This means an attacker could potentially gain complete control over the server, including access to sensitive data processed by the workflows, modification of workflows, and installation of malicious software. The attacker needs to be an authenticated user with permissions to create or modify workflows, which is a common privilege level in many n8n deployments. This vulnerability resembles other prototype pollution attacks where attacker-controlled data is injected into JavaScript objects, leading to unexpected behavior and potentially code execution. The blast radius extends to any data processed by the affected n8n instance.
CVE-2026-33696 was published on 2026-03-26. As of this date, there are no publicly available proof-of-concept exploits. The EPSS score is likely to be medium to high due to the RCE nature of the vulnerability and the relative ease of exploitation once an attacker has authenticated access and workflow modification privileges. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.33% (56% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33696 is to upgrade n8n to version 2.14.1, 2.13.3, or 1.123.27 or later. If an immediate upgrade is not feasible, consider restricting user permissions to limit the ability to create or modify workflows. While not a complete solution, implementing a Web Application Firewall (WAF) with rules to detect and block prototype pollution attempts can provide an additional layer of defense. Monitor n8n logs for unusual activity or errors related to node configurations. There are no specific Sigma or YARA rules readily available for this particular vulnerability, but generic prototype pollution detection rules may be applicable. After upgrading, verify the fix by attempting to create a workflow with a crafted node configuration designed to trigger the prototype pollution vulnerability; it should now be rejected.
Update n8n to version 2.14.1, 2.13.3, or 1.123.27, or later. If updating is not immediately possible, limit workflow creation and editing permissions to trusted users, or disable the XML node by adding `n8n-nodes-base.xml` to the `NODES_EXCLUDE` environment variable. Note that these workarounds are temporary mitigations and do not fully remediate the risk.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33696 is a critical Remote Code Execution vulnerability in n8n workflow automation platform, allowing attackers to execute code on the server through crafted node configurations.
You are affected if you are running n8n versions 2.14.0 or earlier. Upgrade to 2.14.1, 2.13.3, or 1.123.27 to mitigate the risk.
Upgrade n8n to version 2.14.1, 2.13.3, or 1.123.27 or later. Consider restricting user permissions as an interim measure.
As of the current date, there are no confirmed reports of active exploitation, but the vulnerability's severity warrants immediate attention.
Refer to the n8n security advisories on their official website or GitHub repository for the latest information and updates regarding CVE-2026-33696.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.