n8n instances with Source Control configured over SSH are vulnerable to man-in-the-middle attacks that can silently inject malicious content into AI automation workflows. The patch is available in 2.5.0—upgrade immediately; if not feasible, disable Source Control or enforce trusted network paths to the git server. The critical risk here is not data theft: it is an attacker reshaping AI agent behavior at the workflow layer, invisible to end users.
What is the risk?
CVSS 7.4 (High) is appropriate but real-world risk is constrained by two factors: the Source Control SSH feature must be explicitly enabled (non-default), and the attacker must achieve network MitM positioning between n8n and the git server (AC:H). EPSS 0.00013 reflects negligible current exploitation in the wild. However, for organizations running n8n as an AI agent orchestration hub—a common pattern—the blast radius of a successful exploit is disproportionately large: a single poisoned workflow can compromise every AI pipeline routed through that instance.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| n8n | npm | < 2.5.0 | 2.5.0 |
Do you use n8n? You're affected.
How severe is it?
What is the attack surface?
What should I do?
1 step-
1) Upgrade n8n to version 2.5.0 or later—this is the only full remediation. 2) If upgrade is blocked, disable the Source Control feature entirely via settings. 3) As a network control, route n8n-to-git-server traffic exclusively over a private VPC or VPN where MitM is not feasible. 4) Audit workflow git history for unexpected commits or structural changes to HTTP, code, or LLM nodes. 5) Enable SSH known_hosts enforcement across all automation tooling and validate this is not silently disabled in other CI/CD components. 6) Review n8n logs for unexpected git sync activity or authentication anomalies.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-33724?
n8n instances with Source Control configured over SSH are vulnerable to man-in-the-middle attacks that can silently inject malicious content into AI automation workflows. The patch is available in 2.5.0—upgrade immediately; if not feasible, disable Source Control or enforce trusted network paths to the git server. The critical risk here is not data theft: it is an attacker reshaping AI agent behavior at the workflow layer, invisible to end users.
Is CVE-2026-33724 actively exploited?
No confirmed active exploitation of CVE-2026-33724 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-33724?
1) Upgrade n8n to version 2.5.0 or later—this is the only full remediation. 2) If upgrade is blocked, disable the Source Control feature entirely via settings. 3) As a network control, route n8n-to-git-server traffic exclusively over a private VPC or VPN where MitM is not feasible. 4) Audit workflow git history for unexpected commits or structural changes to HTTP, code, or LLM nodes. 5) Enable SSH known_hosts enforcement across all automation tooling and validate this is not silently disabled in other CI/CD components. 6) Review n8n logs for unexpected git sync activity or authentication anomalies.
What systems are affected by CVE-2026-33724?
This vulnerability affects the following AI/ML architecture patterns: AI agent pipelines, workflow automation frameworks, n8n-based agent orchestration, CI/CD for AI systems, LLM tool-call pipelines, RAG ingestion workflows.
What is the CVSS score for CVE-2026-33724?
CVE-2026-33724 has a CVSS v3.1 base score of 7.4 (HIGH). The EPSS exploitation probability is 0.29%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.001 AI Software AML.T0011 User Execution AML.T0081 Modify AI Agent Configuration AML.T0099 AI Agent Tool Data Poisoning Compliance Controls Affected
What are the technical details?
Original Advisory
n8n is an open source workflow automation platform. Prior to version 2.5.0, when the Source Control feature is configured to use SSH, the SSH command used for git operations explicitly disabled host key verification. A network attacker positioned between the n8n instance and the remote Git server could intercept the connection and present a fraudulent host key, potentially injecting malicious content into workflows or intercepting repository data. This issue only affects instances where the Source Control feature has been explicitly enabled and configured to use SSH (non-default). The issue has been fixed in n8n version 2.5.0. Users should upgrade to this version or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Disable the Source Control feature if it is not actively required, and/or restrict network access to ensure the n8n instance communicates with the Git server only over trusted, controlled network paths. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
Exploitation Scenario
An attacker with network positioning on the path between the n8n instance and its remote git server—achievable via ARP poisoning on the same subnet, a compromised cloud routing layer, or BGP manipulation—intercepts the SSH handshake when n8n pulls workflow updates. Because StrictHostKeyChecking is disabled, n8n silently accepts the attacker's fraudulent host key. The attacker serves a modified repository containing production workflows with injected malicious steps: an added HTTP Request node that forwards all LLM completions to an external endpoint, a modified AI Agent node with a rewritten system prompt introducing a persistent indirect prompt injection, or a Code node that exfiltrates environment variables including API keys for downstream AI services. These poisoned workflows deploy transparently and execute on every subsequent trigger, potentially for weeks before discovery.
Weaknesses (CWE)
CWE-639 Authorization Bypass Through User-Controlled Key
Primary
CWE-639 Authorization Bypass Through User-Controlled Key
Primary
CWE-639 — Authorization Bypass Through User-Controlled Key: The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
- [Architecture and Design] For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
- [Architecture and Design, Implementation] Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N References
Timeline
Related Vulnerabilities
CVE-2026-33663 10.0 n8n: member role steals plaintext HTTP credentials
Same package: n8n CVE-2026-33660 10.0 TensorFlow: type confusion NPD in tensor conversion
Same package: n8n CVE-2026-21858 10.0 n8n: Input Validation flaw enables exploitation
Same package: n8n CVE-2025-68668 9.9 n8n: Protection Bypass circumvents security controls
Same package: n8n CVE-2026-27495 9.9 n8n: Code Injection enables RCE
Same package: n8n