CVE-2026-44791

Published Jun 23, 2026

Last updated 11 days ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-44791 is a patch bypass vulnerability found in the XML node of the n8n workflow automation software. This flaw reintroduces a previously addressed prototype pollution issue, allowing attackers to circumvent existing fixes for manipulating object prototypes through the XML processing logic. When exploited, particularly in conjunction with other vulnerabilities, CVE-2026-44791 can enable authenticated attackers to execute arbitrary code, bypass security mechanisms, perform SQL injection attacks, manipulate data, or disclose confidential information on systems running vulnerable versions of n8n. Affected versions include n8n prior to 2.20.0, 1.123.43, 2.22.1, and 2.20.7, with patches available to address the issue.

Description
n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, an authenticated user with permission to create or modify workflows could bypass the patch for CVE-2026-42232 in the XML node. When combined with other nodes, this could lead to RCE on the n8n host. This vulnerability is fixed in 1.123.43, 2.22.1, and 2.20.7.
Source
security-advisories@github.com
NVD status
Analyzed
Products
n8n

Risk scores

CVSS 4.0

Type
Secondary
Base score
9.4
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
CRITICAL

CVSS 3.1

Type
Primary
Base score
9.9
Impact score
6
Exploitability score
3.1
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

security-advisories@github.com
CWE-1321

Social media

Hype score
Not currently trending
  1. CVE-2026-44789, CVE-2026-44790 & CVE-2026-44791: 3 new vulnerabilities in n8n, 9.4 rating 🔥 Recently disclosed vulnerabilities in n8n allow an attacker to read arbitrary files from the server, achieve global prototype pollution and bypass the patch for previous vulnerabil

    @Netlas_io

    20 May 2026

    5066 Impressions

    18 Retweets

    51 Likes

    23 Bookmarks

    2 Replies

    0 Quotes

  2. 🚨 Upozorňujeme na sérii zranitelností v platformě n8n, CVE-2026-44789, CVE-2026-44790 a CVE-2026-44791. Byly identifikovány tři kritické chyby v nativních uzlech HTTP Request, Git a XML, které umožňují nízko-privilegovaným autentizovaným útočníkům s opráv

    @GOVCERT_CZ

    20 May 2026

    559 Impressions

    2 Retweets

    7 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. n8nに重大な脆弱性(CVE-2026-44789・CVE-2026-44790・CVE-2026-44791) https://t.co/gsgKoLYpvA #セキュリティ対策Lab #security #securitynews

    @securityLab_jp

    20 May 2026

    105 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. n8nにCVSSスコア9.4の重大(Critical)な脆弱性が3件。CVE-2026-44790、CVE-2026-44791、CVE-2026-44789。ワークフローの作成/変更が可能なユーザがインフラ側で任意のコードを実行できる。修正版提供あり。 https://t.co/ioxgK7xj0u

    @__kokumoto

    18 May 2026

    1111 Impressions

    2 Retweets

    7 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  5. 🚨High - n8n Multiple Critical Vulnerabilities (CVE-2026-44791, CVE-2026-44792, CVE-2026-45732, CVE-2026-44789, CVE-2026-44790) Multiple high-severity vulnerabilities were disclosed in n8n, including Prototype Pollution leading to RCE (via XML Node and HTTP Request Node),

    @UpwindMDR

    14 May 2026

    80 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

References

Sources include official advisories and independent security research.