CVE-2026-44789: n8n prototype pollution

Q: Is CVE-2026-44789 actively exploited?

No confirmed active exploitation of CVE-2026-44789 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-44789?

1. Patch: upgrade to n8n 1.123.43, 2.20.7, or 2.22.1 immediately (npm update n8n or pull updated Docker image). 2. Workaround if patching is delayed: set NODES_EXCLUDE=n8n-nodes-base.httpRequest in the n8n environment to disable the vulnerable node. 3. Restrict workflow creation and editing permissions to fully trusted administrators only until patching is complete. 4. Audit workflow execution logs for HTTP Request nodes with unexpected or malformed pagination parameters. 5. Rotate all credentials and API keys stored in n8n's credential store if compromise is suspected, especially LLM API keys and database secrets. 6. Enable egress network monitoring on n8n host instances to detect anomalous outbound connections indicative of post-exploitation C2 activity.

Q: What systems are affected by CVE-2026-44789?

This vulnerability affects the following AI/ML architecture patterns: AI agent orchestration platforms, LLM workflow automation pipelines, Multi-agent AI systems, RAG data ingestion workflows, Automated AI data pipelines.

Q: What is the CVSS score for CVE-2026-44789?

CVE-2026-44789 has a CVSS v3.1 base score of 9.9 (CRITICAL). The EPSS exploitation probability is 0.63%.

CISO Take

n8n, a widely-deployed AI workflow automation platform, contains a critical prototype pollution flaw (CWE-1321) in its HTTP Request node's pagination parameter handling that can be chained into full remote code execution on the host instance. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) places this in the critical tier: any authenticated user with workflow creation or editing rights — a role commonly granted to developers and contractors — can trigger the exploit with no user interaction and no elevated privileges. With 16 downstream npm dependents, an OpenSSF Scorecard of only 6.1/10, and 80 prior CVEs in the same package, this is not an isolated incident but a pattern of security debt in software that many organizations now use to orchestrate LLM pipelines, AI agents, and automated data workflows. Patch immediately to n8n 1.123.43, 2.20.7, or 2.22.1; if patching is blocked, add n8n-nodes-base.httpRequest to NODES_EXCLUDE and restrict workflow editing to fully trusted administrators until the upgrade is complete.

Sources: NVD GitHub Advisory ATLAS OpenSSF

What is the risk?

Critical. Network-reachable with low authentication barrier (any workflow editor), no user interaction required, and scope change (S:C) with full C/I/A impact means a single compromised low-privilege account can yield host-level compromise. Although no public exploit or CISA KEV entry exists at time of publication, the prototype pollution to RCE class is well-documented in the JavaScript/Node.js ecosystem and is achievable by moderately skilled attackers without novel research. The 80 prior CVEs in this package and the 6.1/10 OpenSSF Scorecard signal ongoing security debt. n8n's role as an AI agent orchestration layer compounds the risk: successful exploitation exposes every credential, API key, and data source configured across all workflows on the instance.

How does the attack unfold?

Initial Access

Attacker authenticates to n8n with a low-privilege account that has workflow creation or editing permissions.

AML.T0012

Exploitation

Attacker creates or modifies a workflow with an HTTP Request node containing a crafted pagination parameter that triggers global prototype pollution in the Node.js runtime.

AML.T0049

Privilege Escalation

Polluted Object prototype properties are inherited across security-sensitive code paths, enabling injection of attacker-controlled values into downstream execution contexts.

AML.T0050

Impact

Attacker achieves RCE on the n8n host, exfiltrating all stored LLM API keys and workflow credentials, and gains the ability to manipulate or backdoor AI agent pipeline logic.

AML.T0083

Initial Access

Attacker authenticates to n8n with a low-privilege account that has workflow creation or editing permissions.

AML.T0012

Exploitation

Attacker creates or modifies a workflow with an HTTP Request node containing a crafted pagination parameter that triggers global prototype pollution in the Node.js runtime.

AML.T0049

Privilege Escalation

Polluted Object prototype properties are inherited across security-sensitive code paths, enabling injection of attacker-controlled values into downstream execution contexts.

AML.T0050

Impact

Attacker achieves RCE on the n8n host, exfiltrating all stored LLM API keys and workflow credentials, and gains the ability to manipulate or backdoor AI agent pipeline logic.

AML.T0083

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	< 1.123.43	`1.123.43`
194.3K OpenSSF 6.6 Pushed yesterday 54% patched ~7d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1

9.9 / 10

EPSS

0.6%

chance of exploitation in 30 days

Higher than 46% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Changed

C High

I High

A High

What should I do?

6 steps

Patch: upgrade to n8n 1.123.43, 2.20.7, or 2.22.1 immediately (npm update n8n or pull updated Docker image).
Workaround if patching is delayed: set NODES_EXCLUDE=n8n-nodes-base.httpRequest in the n8n environment to disable the vulnerable node.
Restrict workflow creation and editing permissions to fully trusted administrators only until patching is complete.
Audit workflow execution logs for HTTP Request nodes with unexpected or malformed pagination parameters.
Rotate all credentials and API keys stored in n8n's credential store if compromise is suspected, especially LLM API keys and database secrets.
Enable egress network monitoring on n8n host instances to detect anomalous outbound connections indicative of post-exploitation C2 activity.

How is it classified?

Code Execution Auth Bypass Supply Chain Agent Framework Plugin AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0081 - Modify AI Agent Configuration AML.T0083 - Credentials from AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.1.2 - AI system security by design A.8.7 - Logging and monitoring of AI systems

NIST AI RMF

MANAGE 2.2 - Mechanisms to respond to AI risks

OWASP LLM Top 10

LLM08:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-44789?

n8n, a widely-deployed AI workflow automation platform, contains a critical prototype pollution flaw (CWE-1321) in its HTTP Request node's pagination parameter handling that can be chained into full remote code execution on the host instance. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) places this in the critical tier: any authenticated user with workflow creation or editing rights — a role commonly granted to developers and contractors — can trigger the exploit with no user interaction and no elevated privileges. With 16 downstream npm dependents, an OpenSSF Scorecard of only 6.1/10, and 80 prior CVEs in the same package, this is not an isolated incident but a pattern of security debt in software that many organizations now use to orchestrate LLM pipelines, AI agents, and automated data workflows. Patch immediately to n8n 1.123.43, 2.20.7, or 2.22.1; if patching is blocked, add n8n-nodes-base.httpRequest to NODES_EXCLUDE and restrict workflow editing to fully trusted administrators until the upgrade is complete.

Is CVE-2026-44789 actively exploited?

No confirmed active exploitation of CVE-2026-44789 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-44789?

1. Patch: upgrade to n8n 1.123.43, 2.20.7, or 2.22.1 immediately (npm update n8n or pull updated Docker image). 2. Workaround if patching is delayed: set NODES_EXCLUDE=n8n-nodes-base.httpRequest in the n8n environment to disable the vulnerable node. 3. Restrict workflow creation and editing permissions to fully trusted administrators only until patching is complete. 4. Audit workflow execution logs for HTTP Request nodes with unexpected or malformed pagination parameters. 5. Rotate all credentials and API keys stored in n8n's credential store if compromise is suspected, especially LLM API keys and database secrets. 6. Enable egress network monitoring on n8n host instances to detect anomalous outbound connections indicative of post-exploitation C2 activity.

What systems are affected by CVE-2026-44789?

This vulnerability affects the following AI/ML architecture patterns: AI agent orchestration platforms, LLM workflow automation pipelines, Multi-agent AI systems, RAG data ingestion workflows, Automated AI data pipelines.

What is the CVSS score for CVE-2026-44789?

CVE-2026-44789 has a CVSS v3.1 base score of 9.9 (CRITICAL). The EPSS exploitation probability is 0.63%.

What is the AI security impact?

Affected AI Architectures

AI agent orchestration platformsLLM workflow automation pipelinesMulti-agent AI systemsRAG data ingestion workflowsAutomated AI data pipelines

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

AML.T0053 AI Agent Tool Invocation

AML.T0081 Modify AI Agent Configuration

AML.T0083 Credentials from AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 15, Article 9

ISO 42001: A.6.1.2, A.8.7

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM08:2025

What are the technical details?

Original Advisory

n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, an authenticated user with permission to create or modify workflows could achieve global prototype pollution via an unvalidated pagination parameter in the HTTP Request node. Combined with other techniques this could lead to RCE on the instance. This vulnerability is fixed in 1.123.43, 2.22.1, and 2.20.7.

Exploitation Scenario

An attacker with a low-privilege n8n account — such as a developer or contractor granted workflow editing rights — creates or modifies a workflow containing an HTTP Request node. They craft a malicious pagination parameter value (e.g., via __proto__ or constructor.prototype injection) that pollutes JavaScript's global Object prototype within the n8n Node.js process. This pollution modifies inherited object properties across security-sensitive code paths in the runtime. The attacker then chains this primitive with a secondary technique — such as property injection into a Code node, a server-side template evaluation path, or a subsequent node that consumes polluted properties — to achieve arbitrary code execution on the n8n host. In an AI pipeline context, the attacker uses this foothold to extract all LLM API keys stored in n8n credentials, reroute agent tool calls to attacker-controlled endpoints to intercept sensitive data, and potentially poison workflow logic to alter AI agent behavior across the organization's automation stack.

Weaknesses (CWE)

CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') Primary CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') Primary CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

CWE-1321 — Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'): The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

[Implementation] By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.
[Architecture and Design] By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.

Source: MITRE CWE corpus.