CVE-2026-33696 - n8n GSuiteAdmin prototype pollution RCE

n8n versions before the fixed release lines allowed an authenticated workflow author to supply crafted GSuiteAdmin node parameters that modified Object.prototype. In vulnerable deployments, that prototype pollution could be chained to remote code execution in the n8n process.

This is a workflow-authority issue, not a simple transitive dependency warning. The practical risk depends on who can create or edit workflows, which nodes are enabled, what secrets are available to workflows, and whether the affected n8n runtime is self-hosted or supplied by another platform owner.

When to use it

Use this recipe when a repository deploys n8n, pins n8n images, ships workflow templates, or manages multi-user workflow automation where semi-trusted authors can use GSuiteAdmin or XML-related nodes. It is designed for source-code and deployment remediation, workflow-author trust review, prototype-pollution containment, worker hardening, and credential hygiene.

Inputs

  • n8n version, package/image/chart/manifest pins, workflow exports/templates, enabled nodes, NODES_EXCLUDE, worker mode, and generated dependency or SBOM reports.
  • Source/config paths that deploy n8n, seed/import workflows, grant workflow edit permissions, enable GSuiteAdmin/XML nodes, mount credentials, or run workers with broad filesystem/network access.
  • Regression or deployment checks for fixed versions, restricted workflow authors, disabled risky nodes, least-privilege workers, and no exploit payload execution.
  • Boundary evidence: workflow author roles, Google credentials, credential store access, internal egress, mounted secrets, logs, image owners, and rollout owner.

Affected versions

  • Vulnerable package: n8n <1.123.27
  • Vulnerable package: n8n >=2.0.0, <2.13.3
  • Vulnerable package: n8n 2.14.0
  • Fixed package: n8n 1.123.27+, 2.13.3+, or 2.14.1+ on the selected release line
  • Affected surface: GSuiteAdmin node parameter handling and workflow execution in the n8n server process
  • Required attacker capability: authenticated permission to create or modify workflows

Indicator-of-exposure

  • The repository deploys, packages, forks, vendors, or pins the n8n server, not only an API client, SDK wrapper, workflow export, or documentation.
  • A controlled runtime resolves to an affected n8n version through npm, pnpm, yarn, Docker, Helm, Kubernetes, Terraform, Ansible, Compose, generated dependency manifests, or SBOMs.
  • Users who are not fully trusted administrators can create or edit workflows.
  • GSuiteAdmin or XML-related workflow nodes are enabled in the affected runtime, especially where workflows can interact with credentials, files, shell-capable nodes, Git, SSH, HTTP request nodes, or internal services.
  • n8n workers run with broad environment secrets, package credentials, cloud credentials, source checkout access, database credentials, or model-provider keys.

Quick checks:

rg -n "n8n|N8N_VERSION|n8nio/n8n|NODES_EXCLUDE|GSuiteAdmin|googleWorkspace|workflow|nodes-base|credentials" .
npm ls n8n
pnpm why n8n
yarn why n8n
rg -n "n8n|n8nio/n8n|N8N_VERSION|NODES_EXCLUDE|workflow" Dockerfile* docker-compose*.yml compose*.yml charts k8s helm terraform ansible .github . 2>/dev/null

Windows:

rg -n "n8n|N8N_VERSION|n8nio/n8n|NODES_EXCLUDE|GSuiteAdmin|googleWorkspace|workflow|nodes-base|credentials" .
npm ls n8n
pnpm why n8n
yarn why n8n
rg -n "n8n|n8nio/n8n|N8N_VERSION|NODES_EXCLUDE|workflow" Dockerfile* docker-compose*.yml compose*.yml charts k8s helm terraform ansible .github .

Do not create crafted node parameters, pollute prototypes, run workflow-based proofs of concept, dump credentials, or execute shell-capable nodes during triage.

Remediation strategy

  • Upgrade every controlled n8n runtime to 1.123.27+, 2.13.3+, or 2.14.1+ on its existing release line.
  • Regenerate lockfiles, rendered deployment manifests, image tags or digests, generated dependency reports, SBOMs, and operator documentation so the resolved runtime is patched.
  • Until the upgrade is deployed, restrict workflow creation and editing to fully trusted administrators. Treat this as containment only, not a fix.
  • If this repository controls node availability and immediate upgrade is blocked, disable high-risk workflow nodes such as XML and GSuiteAdmin where business impact allows. Document residual risk because node exclusion does not fully remediate vulnerable code.
  • Review workflow author roles, credential scopes, and worker environment secrets. Rotate n8n, Google Workspace, database, SSH, Git, cloud, package, or model-provider credentials if exploitation is suspected.
  • Add safe policy checks for controlled deployments: vulnerable n8n versions fail review, workflow-author permissions are not granted to broad tenant or developer roles, and disabled-node containment is visible in config.

The prompt

You are remediating CVE-2026-33696 / GHSA-mxrg-77hm-89hv, an n8n
GSuiteAdmin node prototype pollution issue that can lead to remote code
execution. Produce exactly one output:

- A reviewer-ready PR/change request that upgrades every controlled n8n
  runtime, refreshes generated artifacts, adds safe regression checks, and
  documents operator containment and credential-review work, or
- TRIAGE.md if this repository does not own an affected n8n server runtime or
  cannot safely patch the owned deployment.

## Rules

- Scope only CVE-2026-33696 / GHSA-mxrg-77hm-89hv and directly related n8n
  workflow-authority controls.
- Distinguish n8n server deployments from n8n API clients, SDK wrappers,
  workflow exports, sample docs, and externally owned n8n services.
- Treat workflow credentials, Google Workspace credentials, n8n encryption
  keys, database credentials, cloud credentials, package tokens, repository
  tokens, model-provider keys, environment variables, and workflow exports as
  sensitive.
- Do not create exploit workflows, supply crafted GSuiteAdmin parameters,
  pollute prototypes, execute workflows against live n8n instances, dump
  credentials, or run shell/Git/SSH nodes during validation.
- Do not remove workflow tests, credential scoping, audit logs, or approval
  gates just to silence the advisory.
- Do not auto-merge.

## Steps

1. Inventory all controlled n8n runtime references in package manifests,
   lockfiles, Dockerfiles, Compose files, Helm values, Kubernetes manifests,
   Terraform, Ansible, release scripts, CI images, generated dependency
   manifests, SBOMs, and deployment runbooks.
2. Determine every resolved n8n version. A target is vulnerable if it resolves
   to `n8n <1.123.27`, `n8n >=2.0.0, <2.13.3`, or `n8n 2.14.0`.
3. If the repository only integrates with an externally owned n8n service, stop
   with `TRIAGE.md` naming the owning service, evidence checked, and required
   fixed versions.
4. Upgrade the vulnerable runtime on the selected release line:
   - `1.x` deployments to `1.123.27+`;
   - `2.13.x` deployments to `2.13.3+`;
   - `2.14.x` deployments to `2.14.1+`;
   - floating image tags to an explicit patched tag or digest.
5. Refresh lockfiles, rendered manifests, image digests, deployment evidence,
   generated dependency reports, SBOMs, and docs that pin or install n8n.
6. Search workflow and operator config for GSuiteAdmin, XML, workflow editing,
   credential sharing, role grants, disabled node lists, and worker
   environments that expose secrets to workflow authors.
7. Reduce workflow-author blast radius:
   - restrict workflow creation and editing to trusted administrators until the
     patched runtime is deployed;
   - remove broad workflow-author roles from tenants, shared developer groups,
     and PR-driven automation;
   - avoid running n8n workers with unrelated deploy, package-publish, cloud,
     repository-write, or model-provider secrets;
   - document any node exclusion such as `NODES_EXCLUDE` as temporary
     containment only.
8. Add safe regression or policy checks that do not exploit the issue:
   - resolved n8n version is patched;
   - deployment manifests do not use affected image tags or floating vulnerable
     tags;
   - broad roles cannot create or edit workflows;
   - disabled-node containment, if used, is explicitly documented;
   - logs and validation output omit secrets and workflow credential material.
9. Add a PR body section named `CVE-2026-33696 operator actions` that states:
   - n8n versions before and after;
   - which deployments and release lines were changed or triaged;
   - who can create or edit workflows after the change;
   - whether GSuiteAdmin or XML nodes are enabled;
   - which credentials may have been reachable by workflow authors;
   - whether credential rotation, workflow audit, or incident review is needed;
   - which validation commands passed.
10. Run available validation: package install, lockfile integrity, unit tests,
    workflow import/export checks, config lint, image build, deployment
    rendering, SBOM refresh, dependency/security scans, and non-secret smoke
    checks.
11. Use PR title:
    `fix(sec): remediate CVE-2026-33696 in n8n`.

## Stop conditions

- No affected n8n server runtime, deployment manifest, image, lockfile, or
  workflow-author control is owned by this repository.
- The affected n8n service is owned by another team or vendor; name the owner
  and required fixed version in `TRIAGE.md`.
- A fixed n8n version cannot be consumed without a broader platform migration
  or maintenance window.
- Verification would require exploit workflows, prototype pollution, live
  workflow execution, credential access, or printing secret material.
- Validation fails for unrelated pre-existing reasons; document those failures
  instead of broadening scope.

Output contract

  • A reviewer-ready PR or change request that upgrades n8n, refreshes deployment artifacts, restricts workflow authoring/risky nodes during rollout, hardens workers, and documents credential/operator review.
  • Or a TRIAGE.md file that lists inspected packages/images/manifests, workflows, owner, observed version, GSuiteAdmin workflow boundary, required fix, and residual risk.
  • The output must include exact validation commands and must not run prototype pollution payloads, print workflow credentials, export production execution data, or weaken worker isolation.

Verification - what the reviewer looks for

  • Every controlled n8n runtime resolves to 1.123.27+, 2.13.3+, or 2.14.1+ on the chosen release line.
  • Package locks, image tags or digests, rendered manifests, SBOMs, generated dependency reports, and docs agree on the patched version.
  • Workflow creation and editing are limited to intended trusted roles.
  • Temporary node exclusion or workflow quarantine is documented as containment, not represented as full remediation.
  • Operator notes cover workflow audit and credential rotation if untrusted authors had access to vulnerable runtimes.

Watch for

  • Updating package.json while Docker images, Helm values, generated manifests, or lockfiles still deploy a vulnerable n8n runtime.
  • Treating n8n as a harmless internal tool while broad users can create workflows with credential-bearing nodes.
  • Disabling one node as a permanent fix instead of upgrading.
  • Running tests or smoke checks that execute live workflows or print workflow credentials.
  • Forgetting externally supplied n8n images in CI, devcontainers, or platform templates.

References