CVE-2026-44789 — CRITICAL

Q: Is CVE-2026-44789 actively exploited?

No confirmed active exploitation of CVE-2026-44789 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-44789?

1. Patch: upgrade to n8n 1.123.43, 2.20.7, or 2.22.1 immediately (npm update n8n or pull updated Docker image). 2. Workaround if patching is delayed: set NODES_EXCLUDE=n8n-nodes-base.httpRequest in the n8n environment to disable the vulnerable node. 3. Restrict workflow creation and editing permissions to fully trusted administrators only until patching is complete. 4. Audit workflow execution logs for HTTP Request nodes with unexpected or malformed pagination parameters. 5. Rotate all credentials and API keys stored in n8n's credential store if compromise is suspected, especially LLM API keys and database secrets. 6. Enable egress network monitoring on n8n host instances to detect anomalous outbound connections indicative of post-exploitation C2 activity.

Q: What systems are affected by CVE-2026-44789?

This vulnerability affects the following AI/ML architecture patterns: AI agent orchestration platforms, LLM workflow automation pipelines, Multi-agent AI systems, RAG data ingestion workflows, Automated AI data pipelines.

Q: What is the CVSS score for CVE-2026-44789?

No CVSS score has been assigned yet.

CISO Take

n8n, a widely-deployed AI workflow automation platform, contains a critical prototype pollution flaw (CWE-1321) in its HTTP Request node's pagination parameter handling that can be chained into full remote code execution on the host instance. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) places this in the critical tier: any authenticated user with workflow creation or editing rights — a role commonly granted to developers and contractors — can trigger the exploit with no user interaction and no elevated privileges. With 16 downstream npm dependents, an OpenSSF Scorecard of only 6.1/10, and 80 prior CVEs in the same package, this is not an isolated incident but a pattern of security debt in software that many organizations now use to orchestrate LLM pipelines, AI agents, and automated data workflows. Patch immediately to n8n 1.123.43, 2.20.7, or 2.22.1; if patching is blocked, add n8n-nodes-base.httpRequest to NODES_EXCLUDE and restrict workflow editing to fully trusted administrators until the upgrade is complete.

Sources: NVD GitHub Advisory ATLAS OpenSSF

What is the risk?

Critical. Network-reachable with low authentication barrier (any workflow editor), no user interaction required, and scope change (S:C) with full C/I/A impact means a single compromised low-privilege account can yield host-level compromise. Although no public exploit or CISA KEV entry exists at time of publication, the prototype pollution to RCE class is well-documented in the JavaScript/Node.js ecosystem and is achievable by moderately skilled attackers without novel research. The 80 prior CVEs in this package and the 6.1/10 OpenSSF Scorecard signal ongoing security debt. n8n's role as an AI agent orchestration layer compounds the risk: successful exploitation exposes every credential, API key, and data source configured across all workflows on the instance.

Attack Kill Chain

Initial Access

Attacker authenticates to n8n with a low-privilege account that has workflow creation or editing permissions.

AML.T0012

Exploitation

Attacker creates or modifies a workflow with an HTTP Request node containing a crafted pagination parameter that triggers global prototype pollution in the Node.js runtime.

AML.T0049

Privilege Escalation

Polluted Object prototype properties are inherited across security-sensitive code paths, enabling injection of attacker-controlled values into downstream execution contexts.

AML.T0050

Impact

Attacker achieves RCE on the n8n host, exfiltrating all stored LLM API keys and workflow credentials, and gains the ability to manipulate or backdoor AI agent pipeline logic.

AML.T0083

Initial Access

Attacker authenticates to n8n with a low-privilege account that has workflow creation or editing permissions.

AML.T0012

Exploitation

Attacker creates or modifies a workflow with an HTTP Request node containing a crafted pagination parameter that triggers global prototype pollution in the Node.js runtime.

AML.T0049

Privilege Escalation

Polluted Object prototype properties are inherited across security-sensitive code paths, enabling injection of attacker-controlled values into downstream execution contexts.

AML.T0050

Impact

Attacker achieves RCE on the n8n host, exfiltrating all stored LLM API keys and workflow credentials, and gains the ability to manipulate or backdoor AI agent pipeline logic.

AML.T0083

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	< 1.123.43	`1.123.43`
187.3K OpenSSF 6.1 16 dependents Pushed 4d ago 43% patched ~3d to patch Full package profile →

Do you use n8n? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

6 steps

Patch: upgrade to n8n 1.123.43, 2.20.7, or 2.22.1 immediately (npm update n8n or pull updated Docker image).
Workaround if patching is delayed: set NODES_EXCLUDE=n8n-nodes-base.httpRequest in the n8n environment to disable the vulnerable node.
Restrict workflow creation and editing permissions to fully trusted administrators only until patching is complete.
Audit workflow execution logs for HTTP Request nodes with unexpected or malformed pagination parameters.
Rotate all credentials and API keys stored in n8n's credential store if compromise is suspected, especially LLM API keys and database secrets.
Enable egress network monitoring on n8n host instances to detect anomalous outbound connections indicative of post-exploitation C2 activity.

Classification

Code Execution Auth Bypass Supply Chain Agent Framework Plugin AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0081 - Modify AI Agent Configuration AML.T0083 - Credentials from AI Agent Configuration

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.1.2 - AI system security by design A.8.7 - Logging and monitoring of AI systems

NIST AI RMF

MANAGE 2.2 - Mechanisms to respond to AI risks

OWASP LLM Top 10

LLM08:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-44789?

n8n, a widely-deployed AI workflow automation platform, contains a critical prototype pollution flaw (CWE-1321) in its HTTP Request node's pagination parameter handling that can be chained into full remote code execution on the host instance. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) places this in the critical tier: any authenticated user with workflow creation or editing rights — a role commonly granted to developers and contractors — can trigger the exploit with no user interaction and no elevated privileges. With 16 downstream npm dependents, an OpenSSF Scorecard of only 6.1/10, and 80 prior CVEs in the same package, this is not an isolated incident but a pattern of security debt in software that many organizations now use to orchestrate LLM pipelines, AI agents, and automated data workflows. Patch immediately to n8n 1.123.43, 2.20.7, or 2.22.1; if patching is blocked, add n8n-nodes-base.httpRequest to NODES_EXCLUDE and restrict workflow editing to fully trusted administrators until the upgrade is complete.

Is CVE-2026-44789 actively exploited?

No confirmed active exploitation of CVE-2026-44789 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-44789?

1. Patch: upgrade to n8n 1.123.43, 2.20.7, or 2.22.1 immediately (npm update n8n or pull updated Docker image). 2. Workaround if patching is delayed: set NODES_EXCLUDE=n8n-nodes-base.httpRequest in the n8n environment to disable the vulnerable node. 3. Restrict workflow creation and editing permissions to fully trusted administrators only until patching is complete. 4. Audit workflow execution logs for HTTP Request nodes with unexpected or malformed pagination parameters. 5. Rotate all credentials and API keys stored in n8n's credential store if compromise is suspected, especially LLM API keys and database secrets. 6. Enable egress network monitoring on n8n host instances to detect anomalous outbound connections indicative of post-exploitation C2 activity.

What systems are affected by CVE-2026-44789?

This vulnerability affects the following AI/ML architecture patterns: AI agent orchestration platforms, LLM workflow automation pipelines, Multi-agent AI systems, RAG data ingestion workflows, Automated AI data pipelines.

What is the CVSS score for CVE-2026-44789?

No CVSS score has been assigned yet.

Technical Details

NVD Description

## Impact An authenticated user with permission to create or modify workflows could achieve global prototype pollution via an unvalidated pagination parameter in the HTTP Request node. Combined with other techniques this could lead to RCE on the instance. ## Patches The issue has been fixed in n8n versions 1.123.43, 2.20.7, and 2.22.1. Users should upgrade to one of these versions or later to remediate the vulnerability. ## Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Limit workflow creation and editing permissions to fully trusted users only. - Disable the HTTP Request node by adding `n8n-nodes-base.httpRequest` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures. --- n8n has adopted CVSS 4.0 as primary score for all security advisories. CVSS 3.1 vector strings are provided for backwards compatibility. CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Exploitation Scenario

An attacker with a low-privilege n8n account — such as a developer or contractor granted workflow editing rights — creates or modifies a workflow containing an HTTP Request node. They craft a malicious pagination parameter value (e.g., via __proto__ or constructor.prototype injection) that pollutes JavaScript's global Object prototype within the n8n Node.js process. This pollution modifies inherited object properties across security-sensitive code paths in the runtime. The attacker then chains this primitive with a secondary technique — such as property injection into a Code node, a server-side template evaluation path, or a subsequent node that consumes polluted properties — to achieve arbitrary code execution on the n8n host. In an AI pipeline context, the attacker uses this foothold to extract all LLM API keys stored in n8n credentials, reroute agent tool calls to attacker-controlled endpoints to intercept sensitive data, and potentially poison workflow logic to alter AI agent behavior across the organization's automation stack.