Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-44789

CVE-2026-44789: N8n Workflow Automation RCE Vulnerability

CVE-2026-44789 is an RCE vulnerability in N8n workflow automation that allows authenticated users to exploit prototype pollution in the HTTP Request node. This article covers technical details, affected versions, and patches.

Published:

CVE-2026-44789 Overview

CVE-2026-44789 is a prototype pollution vulnerability in n8n, an open source workflow automation platform. The flaw exists in the HTTP Request node, where an unvalidated pagination parameter allows authenticated users to pollute the global JavaScript prototype chain. Any user with permission to create or modify workflows can trigger the vulnerability.

When combined with other techniques, prototype pollution can lead to remote code execution on the n8n instance. The vulnerability affects all versions prior to 1.123.43, 2.22.1, and 2.20.7. The issue is tracked under CWE-1321 as Improperly Controlled Modification of Object Prototype Attributes.

Critical Impact

Authenticated users with workflow creation privileges can pollute global prototypes and potentially achieve remote code execution on the n8n instance.

Affected Products

  • n8n versions prior to 1.123.43
  • n8n versions prior to 2.22.1
  • n8n versions prior to 2.20.7

Discovery Timeline

  • 2026-06-23 - CVE-2026-44789 published to NVD
  • 2026-06-24 - Last updated in NVD database

Technical Details for CVE-2026-44789

Vulnerability Analysis

The vulnerability resides in the HTTP Request node of n8n, a core component used to make outbound HTTP calls within automated workflows. The pagination parameter passed to this node is not properly validated before being merged into JavaScript objects. This allows attacker-controlled keys such as __proto__, constructor, or prototype to modify the base Object prototype.

Once the global prototype is polluted, every object in the Node.js runtime inherits the injected properties. This behavior creates the foundation for subsequent attack chains. Adversaries can combine prototype pollution with gadgets in n8n or its dependencies to escalate from authenticated workflow access to full remote code execution.

Root Cause

The root cause is improper input validation on the pagination parameter consumed by the HTTP Request node. Object merge operations recursively assign user-supplied keys without filtering reserved prototype properties. The lack of an allowlist or sanitization step on parameter names allows pollution of Object.prototype at runtime.

Attack Vector

Exploitation requires network access to the n8n web interface and authenticated credentials with workflow edit permissions. The attacker constructs a workflow that uses the HTTP Request node with a crafted pagination parameter containing prototype-polluting keys. Triggering the workflow injects properties into Object.prototype, affecting subsequent operations across the entire Node.js process.

No verified public proof-of-concept code is available. Refer to the GitHub Security Advisory GHSA-c8xv-5998-g76h for vendor-provided technical details.

Detection Methods for CVE-2026-44789

Indicators of Compromise

  • Workflow definitions containing pagination parameter keys such as __proto__, constructor, or prototype
  • Unexpected modifications to existing workflows by accounts with minimal historical activity
  • Anomalous outbound HTTP requests originating from the n8n process following workflow edits
  • Node.js process crashes or unusual behavior after workflow execution

Detection Strategies

  • Audit workflow JSON exports for prototype-polluting key names in HTTP Request node configurations
  • Monitor n8n audit logs for workflow creation or modification events from non-administrative users
  • Inspect HTTP Request node parameters in stored workflow definitions for suspicious nested keys
  • Correlate authenticated user activity with deviations in n8n runtime behavior

Monitoring Recommendations

  • Enable verbose logging on the n8n instance and forward logs to a centralized analytics platform
  • Track process spawn events from the n8n Node.js runtime for unexpected child processes
  • Alert on workflow imports containing the strings __proto__ or prototype in parameter fields
  • Review user role assignments to identify accounts with workflow modification permissions

How to Mitigate CVE-2026-44789

Immediate Actions Required

  • Upgrade n8n to version 1.123.43, 2.22.1, or 2.20.7 depending on your release branch
  • Audit existing workflows for malicious pagination parameters in HTTP Request nodes
  • Review user accounts with workflow creation or edit permissions and revoke unnecessary access
  • Rotate any credentials or API keys stored within n8n if compromise is suspected

Patch Information

The vendor has released fixed versions 1.123.43, 2.22.1, and 2.20.7. Patch details and version-specific guidance are documented in the n8n GitHub Security Advisory GHSA-c8xv-5998-g76h.

Workarounds

  • Restrict workflow creation and modification permissions to trusted administrators only
  • Place the n8n management interface behind a VPN or network-level access control
  • Disable or restrict use of the HTTP Request node where feasible until patches are applied
  • Monitor and review all workflow changes through code review processes before activation

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.