# [CRIT] [GHSA / CRITICAL] CVE-2026-44791: n8n Has an XML Node Prototype Pollution Patch Bypass **Source:** GitHub Security Advisories **Published:** 2026-05-14 **Article:** https://github.com/advisories/GHSA-wrwr-h859-xh2r ## Threat Profile n8n Has an XML Node Prototype Pollution Patch Bypass ## Impact An authenticated user with permission to create or modify workflows could bypass the patch for GHSA-hqr4-h3xv-9m3r in the XML node. When combined with other nodes, this could lead to RCE on the n8n host. ## Patches The issue has been fixed in n8n versions 1.123.43, 2.20.7, and 2.22.1. Users should upgrade to one of these versions or later to remediate the vulnerability. ## Workarounds If upgrading is not immediately possible, admi… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2026-44791` ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application - **T1059.001** — Command and Scripting Interpreter: PowerShell - **T1059.004** — Command and Scripting Interpreter: Unix Shell - **T1505.003** — Server Software Component: Web Shell ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### n8n host inventory hunt — surface vulnerable instances < 1.123.43 / 2.20.7 / 2.22.1 `UC_299_1` · phase: **recon** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as cmdline from datamodel=Endpoint.Processes where (Processes.process_name IN ("node.exe","node") OR Processes.parent_process_name IN ("node.exe","node")) Processes.process="*n8n*" by host Processes.user Processes.process_name | `drop_dm_object_name(Processes)` | convert ctime(firstTime) ctime(lastTime) ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(30d) | where (InitiatingProcessFileName in~ ("node.exe","node") or FileName in~ ("node.exe","node")) | where ProcessCommandLine has "n8n" or InitiatingProcessCommandLine has "n8n" | summarize FirstSeen = min(Timestamp), LastSeen = max(Timestamp), SampleParentCmd = any(InitiatingProcessCommandLine), SampleChildCmd = any(ProcessCommandLine) by DeviceName, AccountName | order by LastSeen desc ``` ### n8n Node.js parent spawning OS shell — post-exploit RCE indicator for CVE-2026-44791 `UC_299_2` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as childCmds values(Processes.parent_process) as parentCmd from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("node.exe","node") Processes.parent_process="*n8n*" Processes.process_name IN ("cmd.exe","powershell.exe","pwsh.exe","sh","bash","dash","zsh","ksh") (Processes.process="*curl *" OR Processes.process="*wget *" OR Processes.process="*Invoke-WebRequest*" OR Processes.process="*IEX*" OR Processes.process="*Invoke-Expression*" OR Processes.process="*base64 *" OR Processes.process="*/dev/tcp/*" OR Processes.process="*/tmp/*" OR Processes.process="*%TEMP%*" OR Processes.process="*-EncodedCommand*" OR Processes.process="*bash -i*" OR Processes.process="*nc -e*") by host Processes.user Processes.parent_process_name Processes.process_name | `drop_dm_object_name(Processes)` | convert ctime(firstTime) ctime(lastTime) ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName in~ ("node.exe","node") | where InitiatingProcessCommandLine has_any ("n8n","n8n-nodes-base") | where FileName in~ ("cmd.exe","powershell.exe","pwsh.exe","sh","bash","dash","zsh","ksh") | where ProcessCommandLine has_any ("curl ","wget ","Invoke-WebRequest","IEX","Invoke-Expression","base64 ","-EncodedCommand","/tmp/","%TEMP%","bash -i","nc -e","perl -e","python -c") or ProcessCommandLine matches regex @"(?i)/dev/tcp/" or ProcessCommandLine matches regex @"(?i)\bnc\b.*\b-l\b" | where AccountName !endswith "$" | project Timestamp, DeviceName, AccountName, ParentImage = InitiatingProcessFolderPath, ParentCmd = InitiatingProcessCommandLine, ChildImage = FolderPath, ChildCmd = ProcessCommandLine, SHA256 | order by Timestamp desc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2026-44791` ## Why this matters Severity classified as **CRIT** based on: CVE present, 3 use case(s) fired, 4 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.