CVE-2026-44789

Published Jun 23, 2026

Last updated 11 days ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-44789 is a vulnerability found in the n8n workflow automation platform, specifically within its HTTP Request node. This flaw is categorized as an Improperly Controlled Modification of Object Prototype Attributes, also known as "Prototype Pollution" (CWE-1321). It arises from an unvalidated pagination parameter, which an authenticated user with permissions to create or modify workflows can exploit. Exploiting this prototype pollution can corrupt application logic across workflows. When combined with other techniques, it can ultimately enable an attacker to achieve remote code execution (RCE) on the n8n host system.

Description
n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, an authenticated user with permission to create or modify workflows could achieve global prototype pollution via an unvalidated pagination parameter in the HTTP Request node. Combined with other techniques this could lead to RCE on the instance. This vulnerability is fixed in 1.123.43, 2.22.1, and 2.20.7.
Source
security-advisories@github.com
NVD status
Analyzed
Products
n8n

Risk scores

CVSS 4.0

Type
Secondary
Base score
9.4
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
CRITICAL

CVSS 3.1

Type
Primary
Base score
9.9
Impact score
6
Exploitability score
3.1
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

security-advisories@github.com
CWE-1321

Social media

Hype score
Not currently trending
  1. CVE-2026-44789, CVE-2026-44790 & CVE-2026-44791: 3 new vulnerabilities in n8n, 9.4 rating 🔥 Recently disclosed vulnerabilities in n8n allow an attacker to read arbitrary files from the server, achieve global prototype pollution and bypass the patch for previous vulnerabil

    @Netlas_io

    20 May 2026

    5066 Impressions

    18 Retweets

    51 Likes

    23 Bookmarks

    2 Replies

    0 Quotes

  2. 🚨 Upozorňujeme na sérii zranitelností v platformě n8n, CVE-2026-44789, CVE-2026-44790 a CVE-2026-44791. Byly identifikovány tři kritické chyby v nativních uzlech HTTP Request, Git a XML, které umožňují nízko-privilegovaným autentizovaným útočníkům s opráv

    @GOVCERT_CZ

    20 May 2026

    559 Impressions

    2 Retweets

    7 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. n8nに重大な脆弱性(CVE-2026-44789・CVE-2026-44790・CVE-2026-44791) https://t.co/gsgKoLYpvA #セキュリティ対策Lab #security #securitynews

    @securityLab_jp

    20 May 2026

    105 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. github CVE-2026-44789: RCE. cloud misconfigs scale your blast radius by every region you operate in. audit IAM first. #GitHub #RCE #CVE-2026-44789 https://t.co/hpOdrGCDAV

    @trerbbb

    18 May 2026

    68 Impressions

    2 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. n8nにCVSSスコア9.4の重大(Critical)な脆弱性が3件。CVE-2026-44790、CVE-2026-44791、CVE-2026-44789。ワークフローの作成/変更が可能なユーザがインフラ側で任意のコードを実行できる。修正版提供あり。 https://t.co/ioxgK7xj0u

    @__kokumoto

    18 May 2026

    1111 Impressions

    2 Retweets

    7 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  6. n8n patched a critical prototype pollution bug (CVE-2026-44789) in the HTTP Request node that an authenticated user could chain into RCE on the instance. patch to 1.123.43 or 2.22.1. https://t.co/lpjLmO8XAF

    @securelens

    17 May 2026

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. 🚨High - n8n Multiple Critical Vulnerabilities (CVE-2026-44791, CVE-2026-44792, CVE-2026-45732, CVE-2026-44789, CVE-2026-44790) Multiple high-severity vulnerabilities were disclosed in n8n, including Prototype Pollution leading to RCE (via XML Node and HTTP Request Node),

    @UpwindMDR

    14 May 2026

    80 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

References

Sources include official advisories and independent security research.