June 10th, 2026

Critical n8n Workflow Node Vulnerabilities Allow Prototype Pollution, Arbitrary File Read, and Patch Bypass (CVE-2026-44789, CVE-2026-44790, CVE-2026-44791)

Critical

Several critical vulnerabilities have been identified in the n8n workflow automation platform, tracked as CVE-2026-44789, CVE-2026-44790, and CVE-2026-44791. These vulnerabilities allow authenticated attackers to execute arbitrary commands, read arbitrary files from the server, and bypass previously deployed security patches. The vulnerabilities affect the HTTP Request, Git, and XML workflow nodes, and have been publicly disclosed with proof-of-concept exploits, increasing the risk of attacks on internet-accessible n8n instances. Notably, CVE-2026-44791 bypasses the patch for CVE-2026-42232, leaving organizations that applied earlier fixes still vulnerable. Because n8n often integrates with enterprise applications, cloud services, and critical APIs, exploitation could lead to unauthorized access to credentials, lateral movement, and compromise of automation infrastructure.

Technical Details

Threat Type: Prototype Pollution that may enable Remote Code Execution when chained with additional nodes or techniques (CVE-2026-44789, CVE-2026-44791); CLI Argument Injection enabling Arbitrary File Read (CVE-2026-44790)
Severity: Critical
- (CVSS v4: 9.4) for CVE-2026-44789, CVE-2026-44790, and CVE-2026-44791
CVE IDs: CVE-2026-44789, CVE-2026-44790, CVE-2026-44791
Affected Systems: n8n workflow automation platform, all versions prior to 1.123.43 (1.x branch), 2.20.7, and 2.22.1
Affected Components: n8n-nodes-base.httpRequest (CVE-2026-44789), n8n-nodes-base.git (CVE-2026-44790), n8n-nodes-base.xml (CVE-2026-44791)
Fixed Versions: 1.123.43, 2.20.7, 2.22.1
Threat Actor: None identified
Exploit Status: Proof-of-concept details publicly available; no confirmed in-the-wild exploitation reported at time of publication

CVE-2026-44789 — HTTP Request Node: Prototype Pollution to RCE

Authenticated access required; workflow creation or modification privileges sufficient for exploitation
Attacker crafts malicious pagination parameters within an HTTP Request node workflow configuration, injecting JavaScript prototype chain properties such as __proto__, constructor, or prototype
The HTTP Request node processes these values without validation, allowing modification of the global JavaScript prototype chain
With prototype pollution achieved, the attacker may chain the condition with unsafe internal code execution paths to achieve arbitrary command execution on the n8n host; successful execution depends on chaining with additional exploitable nodes or techniques

CVE-2026-44790 — Git Node: CLI Argument Injection enabling Arbitrary File Read

Authenticated access required; workflow creation or modification privileges sufficient for exploitation
Attacker injects malicious CLI flags into the Git node's Push operation parameters via crafted workflow configurations
Injected flags are passed directly to backend Git command execution routines without sanitization, redirecting Git operations to read arbitrary files from the server filesystem
Depending on the environment, accessible files may include environment variables, configuration files, SSH keys, API tokens, and other sensitive material; exposed credentials may facilitate privilege escalation, lateral movement, or full server compromise

CVE-2026-44791 — XML Node: Patch Bypass for CVE-2026-42232 leading to RCE

Authenticated access required; workflow creation or modification privileges sufficient for exploitation
Attacker submits specially crafted XML payloads within a workflow's XML node
The XML node improperly handles these payloads, reintroducing prototype pollution conditions that bypass the previously issued security fix for CVE-2026-42232
Combined with other nodes, successful exploitation may allow arbitrary command execution on the n8n host; organizations that applied the CVE-2026-42232 patch and considered themselves remediated remain exposed to this vulnerability

Impact

Organizations running vulnerable n8n instances where untrusted users can create or modify workflows, particularly those integrated with cloud services, internal APIs, databases, and business-critical automation, are at significant risk of compromise.
Successful exploitation of CVE-2026-44789, CVE-2026-44790, and CVE-2026-44791 may allow threat actors to execute arbitrary commands, read sensitive files from the host filesystem, and move laterally across connected enterprise environments.
Exploitation may result in workflow disruption, operational downtime, credential theft, and compromise of downstream services relying on n8n-stored secrets and API tokens.
Organizations across sectors relying on n8n for workflow orchestration and data integration may additionally face regulatory exposure and reputational damage following a successful intrusion or data breach.

Detection Method

The following detection opportunities are analyst-recommended; vendor advisories for these CVEs do not provide specific detection guidance.

Monitor EDR and Sysmon logs for suspicious child processes spawned by node, npm, or n8n services, particularly shells or scripting utilities such as cmd.exe, powershell.exe, /bin/bash, curl, wget, or python. Relevant telemetry includes Sysmon Event ID 1 (Process Creation) and Event ID 3 (Network Connections).
Review n8n application logs, Docker container logs, and reverse proxy logs (nginx, apache) for unusual API requests, malformed XML payloads, excessive workflow modifications, or requests containing JavaScript prototype chain properties such as __proto__, constructor, or prototype.
Monitor authentication and audit logs for unauthorized workflow creation or modification activity, privilege escalation attempts, or anomalous access originating from unfamiliar IP addresses or geolocations.
Inspect firewall, IDS/IPS, and proxy logs for outbound connections from n8n hosts to uncommon external IPs or domains, which may indicate payload retrieval, command-and-control communication, or data exfiltration following successful exploitation.
Configure SIEM correlation rules to detect abnormal command-line executions, file access attempts targeting sensitive paths such as .env, /etc/passwd, SSH keys, or Docker secrets, and unexpected process execution chains associated with the n8n service account.
Leverage Sigma rules for suspicious Node.js child process execution and monitor for indicators consistent with CVE-2026-44789, CVE-2026-44790, and CVE-2026-44791 exploitation patterns involving prototype pollution, argument injection, and arbitrary file access.

Indicators of Compromise

There are no Indicators of Compromise (IOCs) for this Advisory.

mix of red, purple, orange, blue bubble shape waves horizontal for cybersecurity and netwo

Recommendations

Upgrade affected n8n instances immediately to a patched version addressing CVE-2026-44789, CVE-2026-44790, and CVE-2026-44791: version 1.123.43 (1.x branch), 2.20.7, or 2.22.1.
If immediate upgrade is not possible, apply the following interim node exclusions by adding the relevant values to the NODES_EXCLUDE environment variable:
- CVE-2026-44789 (HTTP Request node): n8n-nodes-base.httpRequest
- CVE-2026-44790 (Git node): n8n-nodes-base.git
- CVE-2026-44791 (XML node): n8n-nodes-base.xml
- Node exclusions are short-term mitigations only and do not fully remediate the underlying vulnerabilities. Patching remains the only comprehensive remediation.
Restrict workflow creation and modification permissions to trusted users only and enforce least-privilege access across all n8n accounts.
Restrict external access to n8n management interfaces, APIs, and workflow editors using firewall rules, VPN access, network segmentation, and IP allowlisting. Enforce multi-factor authentication (MFA) for all administrative and workflow management accounts.
Monitor EDR, Sysmon, application, container, and reverse proxy logs for suspicious process execution, abnormal outbound connections, unauthorized workflow modifications, and attempts to access sensitive files or environment variables.
Isolate and secure backup repositories, validate restore procedures regularly, and maintain offline or immutable backups to support recovery in the event of compromise or operational disruption.

Conclusion

CVE-2026-44789, CVE-2026-44790, and CVE-2026-44791 expose n8n deployments to remote code execution, arbitrary file read, and patch bypass across three native workflow nodes. The release of proof-of-concept exploit details and Critical CVSS v4 severity scores highlight the need for immediate remediation. Organizations should upgrade to patched versions, limit workflow editing to trusted users, apply node-level mitigations if patching is delayed, and ensure detection coverage across application, container, and network telemetry.

References

https://github.com/n8n-io/n8n/security/advisories/GHSA-c8xv-5998-g76h

https://github.com/n8n-io/n8n/security/advisories/GHSA-57g9-58c2-xjg3

https://github.com/n8n-io/n8n/security/advisories/GHSA-wrwr-h859-xh2r

https://thehackernews.com/2026/05/ivanti-fortinet-sap-vmware-n8n-patch.html

https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2026-057/

https://gbhackers.com/n8n-security-flaws-remote-code-execution/

https://cybersecuritynews.com/n8n-rce-vulnerabilities/