CVE-2026-33724 Overview
CVE-2026-33724 is a Man-in-the-Middle vulnerability affecting the n8n open source workflow automation platform. When the Source Control feature is configured to use SSH, the SSH command used for git operations explicitly disables host key verification. This security oversight allows a network attacker positioned between the n8n instance and the remote Git server to intercept connections and present fraudulent host keys, potentially enabling injection of malicious content into workflows or interception of sensitive repository data.
Critical Impact
Attackers in a privileged network position can intercept SSH connections between n8n and Git servers, potentially injecting malicious workflow content or exfiltrating sensitive repository data through man-in-the-middle attacks.
Affected Products
- n8n versions prior to 2.5.0
- n8n instances with Source Control feature enabled and configured to use SSH
- Self-hosted n8n deployments using SSH-based Git integration
Discovery Timeline
- 2026-03-25 - CVE CVE-2026-33724 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33724
Vulnerability Analysis
This vulnerability stems from improper certificate validation (CWE-639) in n8n's Source Control feature. When SSH is configured for Git operations, the underlying SSH command is executed with host key verification explicitly disabled. This configuration bypasses a fundamental security control that protects SSH connections from interception and impersonation attacks.
The vulnerability requires the attacker to be in a network position between the n8n instance and the Git server, making it exploitable in scenarios such as compromised network infrastructure, rogue access points, or ARP spoofing attacks on local networks. While the attack complexity is elevated due to the required network positioning, successful exploitation can have significant consequences for workflow integrity and data confidentiality.
Root Cause
The root cause is the explicit disabling of SSH host key verification in git operations. Normally, SSH clients verify the identity of remote servers by checking their host keys against known good values. By disabling this verification, n8n accepts connections from any server claiming to be the Git remote, regardless of whether its cryptographic identity matches expectations. This design decision, likely made to simplify initial setup or avoid host key management issues, creates a significant security gap.
Attack Vector
The attack vector is network-based and requires the following conditions:
- The n8n Source Control feature must be explicitly enabled (non-default configuration)
- SSH must be configured as the transport for Git operations
- The attacker must achieve a man-in-the-middle position on the network path between the n8n instance and the Git server
Once positioned, an attacker can intercept SSH connection attempts and present their own SSH server with a fraudulent host key. Because host key verification is disabled, n8n accepts this fraudulent connection. The attacker can then relay traffic to the actual Git server while inspecting or modifying data in transit, inject malicious workflow definitions that execute when imported into n8n, or capture credentials or sensitive data contained in repository contents.
Detection Methods for CVE-2026-33724
Indicators of Compromise
- Unexpected changes to workflow definitions that were not made by authorized users
- Network traffic anomalies showing SSH connections to unexpected IP addresses
- Git repository logs indicating commits or pushes from unknown sources
- Configuration file modifications in n8n's Source Control settings
Detection Strategies
- Monitor network traffic for SSH connections from n8n instances and verify destination IP addresses match expected Git server infrastructure
- Implement network segmentation monitoring to detect potential MITM positioning attempts
- Review n8n audit logs for unauthorized workflow modifications following Source Control sync operations
- Deploy network intrusion detection rules to identify SSH session hijacking indicators
Monitoring Recommendations
- Enable comprehensive logging for all Git operations performed by n8n
- Implement file integrity monitoring on workflow definition files
- Configure alerts for any SSH connection failures or certificate warnings in n8n logs
- Monitor for ARP spoofing or DNS poisoning attempts on the network segment hosting n8n
How to Mitigate CVE-2026-33724
Immediate Actions Required
- Upgrade n8n to version 2.5.0 or later immediately to remediate the vulnerability
- Audit all workflows for unexpected or malicious modifications that may have occurred during the vulnerable period
- Review network access controls between n8n instances and Git servers
- Consider implementing VPN or dedicated network paths for Git communications as an additional layer of protection
Patch Information
The vulnerability has been fixed in n8n version 2.5.0. Users should upgrade to this version or later to fully remediate the vulnerability. For detailed patch information and security advisory details, refer to the GitHub Security Advisory GHSA-43v7-fp2v-68f6.
Workarounds
- Disable the Source Control feature entirely if it is not actively required for operations
- Restrict network access to ensure the n8n instance communicates with the Git server only over trusted, controlled network paths
- Consider switching to HTTPS-based Git authentication if SSH cannot be secured
- Implement network segmentation to minimize the attack surface for potential MITM attacks
# Verify n8n version after upgrade
n8n --version
# Expected output: 2.5.0 or higher
# If upgrade is not possible, disable Source Control via environment variable
export N8N_SOURCECONTROL_ENABLED=false
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
