5 matches found
CVE-2026-59206
n8n is affected by a prototype pollution vulnerability in which an authenticated user with the default workflow:create permission could pollute Object.prototype via a crafted workflow saved, updated, or imported through the workflow API. This corruption could cause unauthenticated requests to be ...
CVE-2026-59206 n8n: Prototype Pollution via Workflow Credentials Leads to Unauthenticated User and Project Enumeration
n8n is an open source workflow automation platform. Prior to 1.123.61, 2.27.4, and, 2.28.1, an authenticated user with the default workflow:create permission could pollute Object.prototype through a crafted workflow saved, updated, or imported via the workflow API, allowing unauthenticated reques...
CVE-2026-59207
The CVE covers n8n (open source workflow automation) where, prior to versions 2.27.4 and 2.28.1, the AI Agents feature did not enforce the Allowed HTTP Request Domains restriction configured on credentials when an MCP tool targeted an arbitrary URL. This allowed a member-level user with use-only ...
CVE-2026-59207 n8n: "Allowed HTTP Request Domains" Restriction Bypass via AI Agents MCP Connector
n8n is an open source workflow automation platform. Prior to 2.27.4 and 2.28.1, the AI Agents feature did not enforce the Allowed HTTP Request Domains restriction configured on credentials when an MCP tool was pointed at an arbitrary URL, allowing a member-level user with use-only access to a...
CVE-2025-62381 sveltekit-superforms Prototype Pollution in `parseFormData` function of `formData.js`
sveltekit-superforms makes SvelteKit forms a pleasure to use. sveltekit-superforms v2.27.3 and prior are susceptible to a prototype pollution vulnerability within the parseFormData function of formData.js. An attacker can inject string and array properties into Object.prototype, leading to denial...