HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-44789Published Modified CNA GitHub_M

CVE-2026-44789: n8n: HTTP Request Node Pagination Prototype Pollution to RCE

n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, an authenticated user with permission to create or modify workflows could achieve global prototype pollution via an unvalidated pagination parameter in the HTTP Request node. Combined with other techniques this could lead to RCE on the instance. This vulnerability is fixed in 1.123.43, 2.22.1, and 2.20.7.

Metrics

CVSS v4.0
9.4
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Prototype pollution via unvalidated HTTP Request node pagination parameter affects n8n, an open source workflow automation platform. The vulnerability is reachable over the network by any authenticated user with workflow create or modify permissions, meaning no elevated privileges are required beyond a standard account. Successful exploitation enables global prototype pollution on the n8n instance which, combined with follow-on techniques, gives the attacker remote code execution. HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as upstream fix versions are published.

HarborGuard Coverage

Detection

Detection of CVE-2026-44789 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle n8n. Any image running an affected version of n8n-io/n8n is flagged immediately on the next pipeline scan or registry push.

Available
Triage

Triage is available using the CVSS v4.0 base score of 9.4 (Critical), with per-environment compliance policy weighting applied to surface findings to the appropriate team inbox inside each customer org.

Available
Patch

Because no fix versions have been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream maintainers ship a remediated release. For customers with auto-remediation enabled, a rebuilt image, regression-test run, and PR opened against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable HTTP Request node pagination parameter is exposed over the network, so the attacker must be able to reach the n8n instance across the network.

  • AuthenticationRequired

    Any low-privilege account with permission to create or modify workflows is sufficient; no admin credentials are needed.

  • Victim interactionNot required

    No victim interaction is required; the attacker submits the malicious pagination parameter directly without relying on any other user's action.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no race conditions, special memory layout, or other environmental preconditions beyond the authentication barrier.

Blast Radius

  • Reads sensitive data stored on the n8n instance, including workflow credentials, API keys, and environment variables accessible to the process.
  • Modifies workflow definitions and persisted configuration, allowing an attacker to alter automation logic across the instance.
  • Crashes or destabilizes the n8n service by corrupting the JavaScript prototype chain, causing unpredictable behavior in the runtime.
  • Achieves remote code execution on the underlying host, giving the attacker full control over the container or VM running the n8n instance.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published for CVE-2026-44789, the advisory is re-evaluated on every ingest cycle so that any new patch release is detected immediately. In the meantime, compensating controls worth considering include network-policy isolation to restrict which identities can reach the n8n instance, egress filtering on the n8n container to limit lateral movement if compromise occurs, and restricting workflow create or modify permissions to the smallest possible set of accounts via n8n's role system. Where compliance policy permits, auto-remediation customers will receive a rebuilt image, a regression-test run, and a PR opened against affected workloads automatically once upstream ships a patched version. The Critical CVSS v4.0 score of 9.4 means this advisory is prioritized for immediate review in any HarborGuard environment running an affected n8n image.

See how HarborGuard automates this
Affected packages
  • n8n-io / n8n
    < 1.123.43 · >= 2.0.0-rc.0, < 2.20.7 · >= 2.21.0, < 2.21.1
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
References