n8n: Prototype Pollution enables confused-deputy execution via public webhooks

Vulnerability

A prototype pollution vulnerability exists in n8n when a crafted public webhook payload injects attacker-controlled fields into workflow data during internal object copying [1][2]. The fields are surfaced and consumed as normal values by downstream built-in nodes. The issue affects n8n versions before 2.25.7 and 2.26.2 [1][2].

Exploitation

An attacker needs network access to send a crafted HTTP request to a public (unauthenticated) webhook endpoint of an n8n workflow [1][2]. No authentication or user interaction is required for the webhook trigger itself. The exploit involves crafting a JSON payload that pollutes the prototype, causing extra fields to be copied into the workflow data [1]. These fields then appear as legitimate data to subsequent nodes.

Impact

If the workflow combines a public webhook with action nodes that consume those injected fields (e.g., transform, database, or HTTP request nodes), the attacker can cause the workflow to act as a confused deputy [1][2]. The attacker can target unintended records or issue outbound requests using the workflow owner's configured credentials, leading to low confidentiality and low integrity impacts on the system [1].

Mitigation

The issue is fixed in n8n versions 2.25.7 and 2.26.2 [1][2]. Administrators should upgrade to one of these versions or later. If immediate upgrade is not possible, temporary workarounds include avoiding exposure of public webhook workflows that pass incoming data through transform nodes into action nodes with sensitive credentials, and limiting workflow creation and editing permissions to fully trusted users [1][2]. These workarounds do not fully remediate the risk and should only be short-term measures [1].