EXECUTIVE SUMMARY:
CVE-2026-44789 with a CVSS score of 9.4 in n8n is an authenticated vulnerability where a user with workflow creation or modification privileges can exploit an unvalidated pagination parameter in the HTTP Request node, leading to global prototype pollution. In certain attack chains, this object manipulation issue can be further escalated to achieve remote code execution on the affected instance. The flaw primarily impacts environments where workflow permissions are broadly assigned, potentially allowing attackers to compromise the integrity of workflows and the underlying system. As a mitigation, administrators should restrict workflow creation and editing access to trusted users only and consider disabling the HTTP Request node using the NODES_EXCLUDE environment variable, although these measures only reduce exposure and do not fully eliminate the risk.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-44789 with a CVSS score of 9.4 in n8n is an authenticated vulnerability where a user with workflow creation or modification privileges can exploit an unvalidated pagination parameter in the HTTP Request node, leading to global prototype pollution. In certain attack chains, this object manipulation issue can be further escalated to achieve remote code execution on the affected instance. The flaw primarily impacts environments where workflow permissions are broadly assigned, potentially allowing attackers to compromise the integrity of workflows and the underlying system. As a mitigation, administrators should restrict workflow creation and editing access to trusted users only and consider disabling the HTTP Request node using the NODES_EXCLUDE environment variable, although these measures only reduce exposure and do not fully eliminate the risk.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update n8n to version 1.123.43, 2.20.7, or 2.22.1 or later.
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/n8n-rce-vulnerabilities/