Critical n8n vulnerabilities expose automation nodes to RCE and file theft risks

n8n has patched three critical vulnerabilities that could let authenticated users with workflow editing permissions move from normal automation access to remote code execution or sensitive file theft on self-hosted instances.

The flaws affect the HTTP Request, Git, and XML nodes. They are tracked as CVE-2026-44789, CVE-2026-44790, and CVE-2026-44791, and all three carry a Critical severity rating with a CVSS 4.0 score of 9.4.

The vulnerabilities matter because n8n workflows often connect to APIs, credentials, Git repositories, databases, and internal tools. A flaw in one node can become more dangerous when attackers chain it with other workflow features.

Three n8n flaws were patched in May

The advisories were published by n8n on GitHub on May 13, 2026. Each issue requires an authenticated attacker who can create or modify workflows, which limits exposure compared with a fully unauthenticated RCE.

That limitation does not make the bugs safe. Many n8n environments allow several team members, contractors, or internal users to build automations. If any of those accounts become compromised, the vulnerable nodes can give attackers a path into the host system.

n8n fixed the three issues in versions 1.123.43, 2.20.7, and 2.22.1. Administrators running older self-hosted versions should update as soon as possible.

CVE	Affected node	Issue	Impact	Severity
CVE-2026-44789	HTTP Request	Pagination prototype pollution	Can lead to RCE when chained with other techniques	Critical, 9.4
CVE-2026-44790	Git	Argument injection in Git push operation	Can read arbitrary files from the n8n server	Critical, 9.4
CVE-2026-44791	XML	Prototype pollution patch bypass	Can lead to RCE when combined with other nodes	Critical, 9.4

HTTP Request node flaw can lead to prototype pollution

CVE-2026-44789 affects the HTTP Request node. The issue comes from an unvalidated pagination parameter that can allow global prototype pollution.

Prototype pollution lets an attacker modify JavaScript object prototypes. In a Node.js application, that can become dangerous when other code later trusts polluted properties during execution.

According to n8n’s advisory, this flaw can lead to RCE when combined with other techniques. That means the HTTP Request issue is not just a data-handling problem. It can become a host compromise path in the right workflow chain.

Git node flaw can expose server files

CVE-2026-44790 affects the Git node’s Push operation. The vulnerability allows an authenticated user with workflow editing rights to inject command-line flags.

That argument injection can let an attacker read arbitrary files from the n8n server. This may include configuration files, environment variables, tokens, SSH keys, database credentials, or other secrets available to the n8n process.

File read bugs can quickly become full compromise in automation platforms. If attackers obtain n8n encryption keys, database credentials, or cloud tokens, they may be able to take over workflows, access connected services, or move deeper into internal systems.

XML node patch bypass reopens RCE risk

CVE-2026-44791 affects the XML node and bypasses a previous fix for GHSA-hqr4-h3xv-9m3r. That earlier issue also involved prototype pollution in the XML node.

The new advisory says an attacker can bypass the earlier patch and, when combined with other nodes, reach RCE on the n8n host.

Patch bypasses are important because administrators may believe they already fixed the original bug. In this case, the safest approach is to upgrade to one of the newly patched versions rather than relying on the previous XML node fix.

Affected and fixed n8n versions

The three critical vulnerabilities affect older n8n release lines. GitHub’s advisories list the patched versions as 1.123.43, 2.20.7, and 2.22.1.

Administrators should not only update production. They should also check staging systems, development deployments, Docker images, backups, and self-hosted instances used by smaller teams.

Teams running n8n behind a VPN or internal firewall still need the fix if untrusted or lower-privileged users can edit workflows. The attack starts from authenticated workflow access, not necessarily from public internet access.

n8n branch	Action needed
1.x	Update to 1.123.43 or later
2.20.x	Update to 2.20.7 or later
2.21.x and 2.22.x	Update to 2.22.1 or later
Older self-hosted images	Replace with a patched image and restart services

Temporary mitigations are available

n8n says administrators who cannot upgrade immediately should limit workflow creation and editing permissions to fully trusted users only.

Admins can also disable the affected nodes with the NODES_EXCLUDE environment variable. This can reduce exposure, but n8n warns that these workarounds do not fully remove the risk.

Disabling nodes may also break existing automations. Teams should test important workflows before applying broad exclusions in production.

NODES_EXCLUDE=n8n-nodes-base.httpRequest,n8n-nodes-base.git,n8n-nodes-base.xml

• Restrict workflow editing to trusted administrators.
• Disable the HTTP Request node if it is not essential.
• Disable the Git node if workflows do not need Git operations.
• Disable the XML node if XML parsing is not required.
• Review logs for unexpected workflow changes.
• Rotate credentials if a vulnerable instance may have been exposed.

Other n8n advisories were also released

The same advisory batch included additional high-severity issues. One involved a Source Control Pull SQL injection that can affect instances using PostgreSQL, source control, and a repository the attacker can write to.

Another issue involved a cross-user authorization bypass in dynamic credential OAuth endpoints. In affected cases, a user with read-only access to a shared credential could start an OAuth reconnect flow and replace stored token material with tokens from an account they control.

These issues are separate from the three critical node vulnerabilities, but they point to the same broader risk. n8n stores powerful automation logic and credentials, so permission boundaries must hold even between authenticated users.

Why automation platforms need strict access control

n8n is designed to connect services and move data between them. That makes it useful, but it also gives workflows access to high-value credentials and internal systems.

A low-privileged workflow editor can sometimes reach more sensitive systems than expected if node-level validation fails. That risk grows when teams share instances across departments, clients, or contractors.

Administrators should treat workflow editing as a sensitive permission. Users who can build or modify workflows can often influence network requests, data handling, credential use, and file access.

What administrators should do now

The first step is to upgrade n8n to a patched version. After updating, teams should restart all running n8n services and confirm that the active version matches the fixed branch.

Administrators should then audit users with workflow editing rights. Any account that does not need that permission should lose it, especially on instances connected to production systems.

Finally, teams should review credential usage and recent workflow changes. If a vulnerable instance was exposed to untrusted users, credential rotation may be necessary.

1. Identify all self-hosted n8n instances.
2. Upgrade to 1.123.43, 2.20.7, 2.22.1, or later.
3. Restart n8n and verify the running version.
4. Review all users with workflow creation or editing access.
5. Disable affected nodes only as a temporary mitigation.
6. Audit recent workflow changes and executions.
7. Rotate secrets if file read or RCE exposure cannot be ruled out.

FAQ