CVE-2026-44790 — CRITICAL

Q: Is CVE-2026-44790 actively exploited?

No confirmed active exploitation of CVE-2026-44790 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-44790?

1. PATCH IMMEDIATELY: Upgrade to n8n 1.123.43, 2.20.7, or 2.22.1 — these are the only complete remediations. 2. INTERIM — RESTRICT PERMISSIONS: Remove workflow creation and editing rights from all non-essential users; limit to fully trusted administrators only until patching is complete. 3. INTERIM — DISABLE GIT NODE: Add n8n-nodes-base.git to the NODES_EXCLUDE environment variable to fully disable the vulnerable component with zero downtime. 4. ROTATE CREDENTIALS: Immediately audit and rotate all credentials stored in n8n environment files and the n8n credentials store — prioritize AI provider API keys, database passwords, and any cloud provider secrets. 5. NETWORK ISOLATION: Verify n8n instances are not directly internet-exposed; enforce network segmentation and firewall rules to limit attacker access surface. 6. DETECTION: Review n8n workflow audit logs for Git node executions with anomalous flag patterns or unexpected repository paths; monitor server filesystem access logs and outbound network connections for unusual patterns post-workflow execution.

Q: What systems are affected by CVE-2026-44790?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, LLM orchestration pipelines, MLOps automation pipelines, Agentic workflow automation, CI/CD pipelines with Git integration.

Q: What is the CVSS score for CVE-2026-44790?

No CVSS score has been assigned yet.

CISO Take

n8n's Git node Push operation contains a critical argument injection flaw (CWE-88, CVSS:3.1 ~9.9) that allows any authenticated user with workflow creation or editing rights to inject arbitrary CLI flags into the underlying git binary — enabling direct read of any file on the n8n server filesystem. In AI automation deployments, n8n servers routinely hold AI provider API keys (OpenAI, Anthropic, Google), database connection strings, and SSH private keys in environment files, making this a near-instant path to full environment compromise across every integrated AI service. No public exploit or CISA KEV entry exists yet, but the attack requires only a valid user account with no additional interaction (CVSS AC:L, PR:L, UI:N), and n8n's broad adoption in enterprise AI orchestration pipelines makes this a high-priority target for weaponization. Patch immediately to n8n 1.123.43, 2.20.7, or 2.22.1; if patching is delayed, restrict workflow permissions to fully trusted administrators and disable the Git node by adding n8n-nodes-base.git to NODES_EXCLUDE.

Sources: GitHub Advisory NVD ATLAS OpenSSF

What is the risk?

Critical risk for any organization running n8n as part of an AI agent or automation pipeline. The CVSS:3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) scores approximately 9.9, reflecting network-exploitable, low-complexity exploitation requiring only authenticated access — a standard developer or analyst account. In multi-user n8n deployments common in enterprise AI environments, the attacker population includes contractors, analysts, and developers who routinely hold workflow permissions. The package carries 80 prior CVEs and an OpenSSF Scorecard of 6.1/10, indicating elevated security debt. While no exploit code is public, the technique (CLI flag injection via untrusted input) is well-understood and requires no specialized AI knowledge, making this trivially weaponizable once details circulate.

Attack Kill Chain

Initial Access

Attacker authenticates to n8n using a valid low-privilege account with workflow creation or editing permissions, obtainable via phishing, credential stuffing, or compromised contractor access.

AML.T0012

Exploitation

Attacker creates or modifies a workflow containing a Git node Push operation, injecting malicious CLI flags (e.g., --upload-pack, -c core.sshCommand) into the repository or branch field; n8n passes these unsanitized to the underlying git binary.

AML.T0049

Credential Harvest

Injected flags cause the n8n server to read and return arbitrary files from the local filesystem, targeting .env files, AI provider API keys (OpenAI, Anthropic), database passwords, and SSH private keys.

AML.T0037

Full Compromise

Harvested credentials enable lateral movement: attacker accesses AI provider accounts, exfiltrates model configurations and proprietary prompts, pivots to connected databases, and injects malicious instructions into live AI pipelines.

AML.T0106

Initial Access

Attacker authenticates to n8n using a valid low-privilege account with workflow creation or editing permissions, obtainable via phishing, credential stuffing, or compromised contractor access.

AML.T0012

Exploitation

Attacker creates or modifies a workflow containing a Git node Push operation, injecting malicious CLI flags (e.g., --upload-pack, -c core.sshCommand) into the repository or branch field; n8n passes these unsanitized to the underlying git binary.

AML.T0049

Credential Harvest

Injected flags cause the n8n server to read and return arbitrary files from the local filesystem, targeting .env files, AI provider API keys (OpenAI, Anthropic), database passwords, and SSH private keys.

AML.T0037

Full Compromise

Harvested credentials enable lateral movement: attacker accesses AI provider accounts, exfiltrates model configurations and proprietary prompts, pivots to connected databases, and injects malicious instructions into live AI pipelines.

AML.T0106

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	< 1.123.43	`1.123.43`
187.3K OpenSSF 6.1 16 dependents Pushed 4d ago 43% patched ~3d to patch Full package profile →

Do you use n8n? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

6 steps

PATCH IMMEDIATELY

Upgrade to n8n 1.123.43, 2.20.7, or 2.22.1 — these are the only complete remediations.
INTERIM — RESTRICT PERMISSIONS: Remove workflow creation and editing rights from all non-essential users; limit to fully trusted administrators only until patching is complete.
INTERIM — DISABLE GIT NODE: Add n8n-nodes-base.git to the NODES_EXCLUDE environment variable to fully disable the vulnerable component with zero downtime.
ROTATE CREDENTIALS

Immediately audit and rotate all credentials stored in n8n environment files and the n8n credentials store — prioritize AI provider API keys, database passwords, and any cloud provider secrets.
NETWORK ISOLATION

Verify n8n instances are not directly internet-exposed; enforce network segmentation and firewall rules to limit attacker access surface.
DETECTION

Review n8n workflow audit logs for Git node executions with anomalous flag patterns or unexpected repository paths; monitor server filesystem access logs and outbound network connections for unusual patterns post-workflow execution.

Classification

Code Execution Data Extraction Data Leakage Agent Framework Plugin AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0083 - Credentials from AI Agent Configuration AML.T0106 - Exploitation for Credential Access

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.4 - AI system risk treatment A.6.2 - AI system security

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain the value of deployed AI

OWASP LLM Top 10

LLM02:2025 - Sensitive Information Disclosure LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-44790?

n8n's Git node Push operation contains a critical argument injection flaw (CWE-88, CVSS:3.1 ~9.9) that allows any authenticated user with workflow creation or editing rights to inject arbitrary CLI flags into the underlying git binary — enabling direct read of any file on the n8n server filesystem. In AI automation deployments, n8n servers routinely hold AI provider API keys (OpenAI, Anthropic, Google), database connection strings, and SSH private keys in environment files, making this a near-instant path to full environment compromise across every integrated AI service. No public exploit or CISA KEV entry exists yet, but the attack requires only a valid user account with no additional interaction (CVSS AC:L, PR:L, UI:N), and n8n's broad adoption in enterprise AI orchestration pipelines makes this a high-priority target for weaponization. Patch immediately to n8n 1.123.43, 2.20.7, or 2.22.1; if patching is delayed, restrict workflow permissions to fully trusted administrators and disable the Git node by adding n8n-nodes-base.git to NODES_EXCLUDE.

Is CVE-2026-44790 actively exploited?

No confirmed active exploitation of CVE-2026-44790 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-44790?

1. PATCH IMMEDIATELY: Upgrade to n8n 1.123.43, 2.20.7, or 2.22.1 — these are the only complete remediations. 2. INTERIM — RESTRICT PERMISSIONS: Remove workflow creation and editing rights from all non-essential users; limit to fully trusted administrators only until patching is complete. 3. INTERIM — DISABLE GIT NODE: Add n8n-nodes-base.git to the NODES_EXCLUDE environment variable to fully disable the vulnerable component with zero downtime. 4. ROTATE CREDENTIALS: Immediately audit and rotate all credentials stored in n8n environment files and the n8n credentials store — prioritize AI provider API keys, database passwords, and any cloud provider secrets. 5. NETWORK ISOLATION: Verify n8n instances are not directly internet-exposed; enforce network segmentation and firewall rules to limit attacker access surface. 6. DETECTION: Review n8n workflow audit logs for Git node executions with anomalous flag patterns or unexpected repository paths; monitor server filesystem access logs and outbound network connections for unusual patterns post-workflow execution.

What systems are affected by CVE-2026-44790?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, LLM orchestration pipelines, MLOps automation pipelines, Agentic workflow automation, CI/CD pipelines with Git integration.

What is the CVSS score for CVE-2026-44790?

No CVSS score has been assigned yet.

Technical Details

NVD Description

## Impact An authenticated user with permission to create or modify workflows could inject CLI flags on the Git node's Push operation allowing an attacker to read arbitrary files from the n8n server potentially leading to full compromise. ## Patches The issue has been fixed in n8n versions 1.123.43, 2.20.7, and 2.22.1. Users should upgrade to one of these versions or later to remediate the vulnerability. ## Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Limit workflow creation and editing permissions to fully trusted users only. - Disable the Git node by adding `n8n-nodes-base.git` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures. --- n8n has adopted CVSS 4.0 as primary score for all security advisories. CVSS 3.1 vector strings are provided for backwards compatibility. CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Exploitation Scenario

An attacker compromises or registers a legitimate n8n account with workflow editing permissions — achievable via phishing a developer, exploiting a weak password, or using a contractor account. They create a new workflow containing a Git node configured for a Push operation, injecting CLI flags such as --upload-pack=/bin/cat or -c core.sshCommand into the repository URL or branch field. When the workflow runs, n8n passes these flags unsanitized to the underlying git binary, which executes them in the server OS context. The attacker iterates: first reading /etc/passwd and /proc/1/environ to fingerprint the environment, then targeting /opt/n8n/.env or equivalent paths to harvest AI API keys (OpenAI, Anthropic), database connection strings, and any cloud provider credentials. With those keys, the attacker accesses the organization's OpenAI or Anthropic account, exfiltrates fine-tuned model weights or proprietary system prompts, pivots to connected databases, and potentially injects malicious instructions into live AI agent workflows — achieving persistent access across the entire AI infrastructure stack.