CVE-2026-44790

Summary

n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, an authenticated user with permission to create or modify workflows could inject CLI flags on the Git node's Push operation allowing an attacker to read arbitrary files from the n8n server potentially leading to full compromise. This vulnerability is fixed in 1.123.43, 2.22.1, and 2.20.7.

Affected Software

VendorProductVersion RangeStatus
n8n-ion8n< 1.123.43affected
n8n-ion8n>= 2.0.0-rc.0, < 2.20.7affected
n8n-ion8n>= 2.21.0, < 2.21.1affected

Weaknesses

  • CWE-88: CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References