How is CVE-2026-44791 exploited?

Network reachability (required): The attacker must reach the n8n service over the network; the CVSS vector specifies AV:N, meaning no local or physical access to the host is needed. Authentication (required): A low-privilege account with permission to create or modify workflows is sufficient; no administrative credentials are needed (PR:L). Victim interaction (not-required): No victim action is needed; the attacker triggers exploitation entirely through their own requests to the n8n API (UI:N). Attack complexity (info): Attack complexity is low (AC:L), meaning the exploit is reliable and requires no special race conditions or environmental pre-conditions beyond holding a valid low-privilege account.

What is the impact of CVE-2026-44791?

A successful attacker executes arbitrary code on the n8n host process, gaining full control over the automation server. The attacker reads any data accessible to the n8n process, including stored credentials, API keys, and workflow secrets held in the n8n database. The attacker modifies or deletes workflows, persisted execution records, and connected data stores that n8n has write access to. Because both system confidentiality and system integrity CVSS tokens are rated High, compromise can extend beyond the n8n container to other services reachable from the host network.

Back to search

CRITICALCVE-2026-44791Published 2026-06-23Modified 2026-06-23CNA GitHub_M

CVE-2026-44791: n8n: XML Node Prototype Pollution Patch Bypass

n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, an authenticated user with permission to create or modify workflows could bypass the patch for CVE-2026-42232 in the XML node. When combined with other nodes, this could lead to RCE on the n8n host. This vulnerability is fixed in 1.123.43, 2.22.1, and 2.20.7.

CVSS v4.0: 9.4
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Prototype pollution patch bypass in n8n, an open-source workflow automation platform, allows an authenticated user with workflow creation or modification rights to circumvent the fix for CVE-2026-42232 in the XML node. The vulnerability is reachable over the network and requires only a low-privilege account. Chaining the bypass with other n8n nodes enables remote code execution on the n8n host. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment upstream publishes a fix version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle n8n.

Available

Triage

HarborGuard scores this finding at CVSS 9.4 (Critical) using the recorded v4.0 vector and weights it against each environment's compliance policy, then routes the alert to the appropriate team inbox within the customer org.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version appears. Customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a pull request opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the n8n service over the network; the CVSS vector specifies AV:N, meaning no local or physical access to the host is needed.
AuthenticationRequired
A low-privilege account with permission to create or modify workflows is sufficient; no administrative credentials are needed (PR:L).
Victim interactionNot required
No victim action is needed; the attacker triggers exploitation entirely through their own requests to the n8n API (UI:N).
Attack complexityDetail
Attack complexity is low (AC:L), meaning the exploit is reliable and requires no special race conditions or environmental pre-conditions beyond holding a valid low-privilege account.

Blast Radius

A successful attacker executes arbitrary code on the n8n host process, gaining full control over the automation server.
The attacker reads any data accessible to the n8n process, including stored credentials, API keys, and workflow secrets held in the n8n database.
The attacker modifies or deletes workflows, persisted execution records, and connected data stores that n8n has write access to.
Because both system confidentiality and system integrity CVSS tokens are rated High, compromise can extend beyond the n8n container to other services reachable from the host network.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix version exists for CVE-2026-44791 at this time, HarborGuard continuously monitors the advisory and re-checks for a published fix on every ingest cycle. Images containing affected n8n versions (below 1.123.43, or in the 2.x line below 2.20.7 and below 2.21.1) are flagged Critical in every environment where they appear. Until an upstream fix ships, customers can apply compensating controls through HarborGuard network policy suggestions: isolate the n8n service behind an internal network policy that restricts inbound access to trusted principals, gate workflow creation and modification rights to a minimal set of service accounts, and enable egress filtering to limit what the n8n process can reach from the host. For customers with auto-remediation enabled, a patched-image rebuild, regression-test run, and pull request against affected workloads will be triggered automatically the moment a fix version is published upstream, with no manual action required.

See how HarborGuard automates this

Affected packages

n8n-io / n8n
< 1.123.43 · >= 2.0.0-rc.0, < 2.20.7 · >= 2.21.0, < 2.21.1

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References

https://github.com/n8n-io/n8n/security/advisories/GHSA-wrwr-h859-xh2r

Metrics

Get notified