Critical n8n Vulnerabilities Expose Automation Nodes to Full RCE
Cybersecurity NewsArchived May 18, 2026✓ Full text saved
A fresh set of critical vulnerabilities in the popular workflow automation platform n8n is raising serious security concerns, as researchers warn that attackers could chain multiple flaws to achieve full remote code execution (RCE) on affected systems. The vulnerabilities, disclosed via GitHub Security Advisories and tracked as CVE-2026-44789, CVE-2026-44790, and CVE-2026-44791, impact multiple core nodes […] The post Critical n8n Vulnerabilities Expose Automation Nodes to Full RCE appeared firs
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
Critical n8n Vulnerabilities Expose Automation Nodes to Full RCE
By Abinaya
May 18, 2026
A fresh set of critical vulnerabilities in the popular workflow automation platform n8n is raising serious security concerns, as researchers warn that attackers could chain multiple flaws to achieve full remote code execution (RCE) on affected systems.
The vulnerabilities, disclosed via GitHub Security Advisories and tracked as CVE-2026-44789, CVE-2026-44790, and CVE-2026-44791, impact multiple core nodes within n8n, including HTTP Request, Git, and XML nodes.
All issues carry a critical severity rating, with CVSS scores indicating high impact across confidentiality, integrity, and availability.
Security researcher Jubke published the advisories on GitHub, highlighting how low-privileged authenticated users with workflow editing permissions can exploit these flaws to compromise entire n8n instances.
n8n Vulnerabilities
Prototype Pollution Leads to RCE
The most severe issue (CVE-2026-44789) affects the HTTP Request node, where improper validation of pagination parameters allows attackers to trigger prototype pollution.
This vulnerability falls under CWE-1321 and enables manipulation of JavaScript object prototypes at a global level.
In practical terms, an attacker can inject malicious properties into application objects, which can later be leveraged alongside other techniques to execute arbitrary code on the host system.
Because n8n workflows often integrate with external APIs and internal systems, this flaw significantly expands the attack surface, especially in automation-heavy environments.
Git Node Enables Arbitrary File Read
A second critical flaw, tracked as CVE-2026-44790, affects the Git node and could let attackers inject malicious CLI flags during Git push operations to read arbitrary files on the server.
Classified under CWE-88 (argument injection), this issue allows attackers to access sensitive files, including configuration data, credentials, and environment variables.
In many cases, such access can directly lead to full system compromise.
XML Node Patch Bypass Reopens Risk
The third vulnerability (CVE-2026-44791) involves a patch bypass in the XML node. Despite a previous fix for a related issue, attackers can still exploit prototype pollution through alternate paths.
When chained with other vulnerable nodes, this flaw can also lead to remote code execution, effectively nullifying earlier security fixes and exposing systems that were assumed to be protected.
Affected Versions and Fixes
All three vulnerabilities affect n8n versions below 1.123.43, 2.20.7, and 2.22.1, and have been patched in versions 1.123.43, 2.20.7, 2.22.1, and later.
Users are strongly advised to upgrade immediately, as no complete workaround exists.
For organizations unable to patch immediately, researchers recommend limiting workflow creation and editing permissions to trusted users only.
Administrators can also turn off vulnerable nodes using the NODES_EXCLUDE environment variable:
Disable HTTP Request node: n8n-nodes-base.httpRequest
Disable Git node: n8n-nodes-base.git
Disable XML node: n8n-nodes-base.xml
However, these measures are only temporary and do not fully eliminate the risk.
These vulnerabilities highlight a broader security challenge in automation platforms like n8n, where interconnected nodes and extensible workflows can unintentionally amplify the impact of individual flaws.
With low-privileged access sufficient to trigger exploitation, organizations relying on n8n for critical automation should treat this disclosure as a high priority and ensure immediate remediation.
Failure to act could allow attackers to move from simple workflow access to full system control within minutes.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Abinayahttps://cybersecuritynews.com/
Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.
Trending News
Google Warns of Hackers Using AI to Create Working Zero-Day Exploit
OpenAI Hit with Class-Action Privacy Lawsuit for Sharing ChatGPT Data with Google and Meta
Shai-Hulud Worm Steals npm, GitHub, AWS, and Kubernetes Secrets From Developers
Hackers Compromise 170 npm Packages to Steal GitHub, npm, AWS, and Kubernetes Secrets
node-ipc npm Package with 822K Weekly Downloads Compromised in Supply Chain Attack
Latest News
Cyber Attack News
Four Malicious npm Packages Steal SSH Keys, Cloud Credentials, and Crypto Wallets
Cyber Security News
CISA Warns of Microsoft Exchange Server Vulnerability Exploited in Attacks
Cyber Security News
1 Million WordPress Sites Affected by Avada Builder File Read and SQL Injection Flaws
Cyber Security News
Microsoft Confirms Windows 11 Update Fails With Error 0x800f0922
Cyber Security News
New Windows ‘MiniPlasma’ Zero-Day Let Attackers Gain SYSTEM Access – PoC Released