n8n's Git node Push operation contains a critical argument injection flaw (CWE-88, CVSS:3.1 ~9.9) that allows any authenticated user with workflow creation or editing rights to inject arbitrary CLI flags into the underlying git binary — enabling direct read of any file on the n8n server filesystem. In AI automation deployments, n8n servers routinely hold AI provider API keys (OpenAI, Anthropic, Google), database connection strings, and SSH private keys in environment files, making this a near-instant path to full environment compromise across every integrated AI service. No public exploit or CISA KEV entry exists yet, but the attack requires only a valid user account with no additional interaction (CVSS AC:L, PR:L, UI:N), and n8n's broad adoption in enterprise AI orchestration pipelines makes this a high-priority target for weaponization. Patch immediately to n8n 1.123.43, 2.20.7, or 2.22.1; if patching is delayed, restrict workflow permissions to fully trusted administrators and disable the Git node by adding n8n-nodes-base.git to NODES_EXCLUDE.
What is the risk?
Critical risk for any organization running n8n as part of an AI agent or automation pipeline. The CVSS:3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) scores approximately 9.9, reflecting network-exploitable, low-complexity exploitation requiring only authenticated access — a standard developer or analyst account. In multi-user n8n deployments common in enterprise AI environments, the attacker population includes contractors, analysts, and developers who routinely hold workflow permissions. The package carries 80 prior CVEs and an OpenSSF Scorecard of 6.1/10, indicating elevated security debt. While no exploit code is public, the technique (CLI flag injection via untrusted input) is well-understood and requires no specialized AI knowledge, making this trivially weaponizable once details circulate.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| n8n | npm | < 1.123.43 | 1.123.43 |
Do you use n8n? You're affected.
How severe is it?
What is the attack surface?
What should I do?
6 steps-
PATCH IMMEDIATELY
Upgrade to n8n 1.123.43, 2.20.7, or 2.22.1 — these are the only complete remediations.
-
INTERIM — RESTRICT PERMISSIONS: Remove workflow creation and editing rights from all non-essential users; limit to fully trusted administrators only until patching is complete.
-
INTERIM — DISABLE GIT NODE: Add n8n-nodes-base.git to the NODES_EXCLUDE environment variable to fully disable the vulnerable component with zero downtime.
-
ROTATE CREDENTIALS
Immediately audit and rotate all credentials stored in n8n environment files and the n8n credentials store — prioritize AI provider API keys, database passwords, and any cloud provider secrets.
-
NETWORK ISOLATION
Verify n8n instances are not directly internet-exposed; enforce network segmentation and firewall rules to limit attacker access surface.
-
DETECTION
Review n8n workflow audit logs for Git node executions with anomalous flag patterns or unexpected repository paths; monitor server filesystem access logs and outbound network connections for unusual patterns post-workflow execution.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-44790?
n8n's Git node Push operation contains a critical argument injection flaw (CWE-88, CVSS:3.1 ~9.9) that allows any authenticated user with workflow creation or editing rights to inject arbitrary CLI flags into the underlying git binary — enabling direct read of any file on the n8n server filesystem. In AI automation deployments, n8n servers routinely hold AI provider API keys (OpenAI, Anthropic, Google), database connection strings, and SSH private keys in environment files, making this a near-instant path to full environment compromise across every integrated AI service. No public exploit or CISA KEV entry exists yet, but the attack requires only a valid user account with no additional interaction (CVSS AC:L, PR:L, UI:N), and n8n's broad adoption in enterprise AI orchestration pipelines makes this a high-priority target for weaponization. Patch immediately to n8n 1.123.43, 2.20.7, or 2.22.1; if patching is delayed, restrict workflow permissions to fully trusted administrators and disable the Git node by adding n8n-nodes-base.git to NODES_EXCLUDE.
Is CVE-2026-44790 actively exploited?
No confirmed active exploitation of CVE-2026-44790 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-44790?
1. PATCH IMMEDIATELY: Upgrade to n8n 1.123.43, 2.20.7, or 2.22.1 — these are the only complete remediations. 2. INTERIM — RESTRICT PERMISSIONS: Remove workflow creation and editing rights from all non-essential users; limit to fully trusted administrators only until patching is complete. 3. INTERIM — DISABLE GIT NODE: Add n8n-nodes-base.git to the NODES_EXCLUDE environment variable to fully disable the vulnerable component with zero downtime. 4. ROTATE CREDENTIALS: Immediately audit and rotate all credentials stored in n8n environment files and the n8n credentials store — prioritize AI provider API keys, database passwords, and any cloud provider secrets. 5. NETWORK ISOLATION: Verify n8n instances are not directly internet-exposed; enforce network segmentation and firewall rules to limit attacker access surface. 6. DETECTION: Review n8n workflow audit logs for Git node executions with anomalous flag patterns or unexpected repository paths; monitor server filesystem access logs and outbound network connections for unusual patterns post-workflow execution.
What systems are affected by CVE-2026-44790?
This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, LLM orchestration pipelines, MLOps automation pipelines, Agentic workflow automation, CI/CD pipelines with Git integration.
What is the CVSS score for CVE-2026-44790?
CVE-2026-44790 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.63%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0037 Data from Local System AML.T0049 Exploit Public-Facing Application AML.T0050 Command and Scripting Interpreter AML.T0053 AI Agent Tool Invocation AML.T0083 Credentials from AI Agent Configuration AML.T0106 Exploitation for Credential Access Compliance Controls Affected
What are the technical details?
Original Advisory
n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, an authenticated user with permission to create or modify workflows could inject CLI flags on the Git node's Push operation allowing an attacker to read arbitrary files from the n8n server potentially leading to full compromise. This vulnerability is fixed in 1.123.43, 2.22.1, and 2.20.7.
Exploitation Scenario
An attacker compromises or registers a legitimate n8n account with workflow editing permissions — achievable via phishing a developer, exploiting a weak password, or using a contractor account. They create a new workflow containing a Git node configured for a Push operation, injecting CLI flags such as --upload-pack=/bin/cat or -c core.sshCommand into the repository URL or branch field. When the workflow runs, n8n passes these flags unsanitized to the underlying git binary, which executes them in the server OS context. The attacker iterates: first reading /etc/passwd and /proc/1/environ to fingerprint the environment, then targeting /opt/n8n/.env or equivalent paths to harvest AI API keys (OpenAI, Anthropic), database connection strings, and any cloud provider credentials. With those keys, the attacker accesses the organization's OpenAI or Anthropic account, exfiltrates fine-tuned model weights or proprietary system prompts, pivots to connected databases, and potentially injects malicious instructions into live AI agent workflows — achieving persistent access across the entire AI infrastructure stack.
Weaknesses (CWE)
CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Primary
CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') CWE-88 — Improper Neutralization of Argument Delimiters in a Command ('Argument Injection'): The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
- [Implementation] Where possible, avoid building a single string that contains the command and its arguments. Some languages or frameworks have functions that support specifying independent arguments, e.g. as an array, which is used to automatically perform the appropriate quoting or escaping while building the command. For example, in PHP, escapeshellarg() can be used to escape a single argument to system(), or exec() can be called with an array of arguments. In C, code can often be refactored from using system() - which accepts a single string - to using exec(), which requires separate function arguments for each parameter.
- [Architecture and Design] Understand all the potential areas where untrusted inputs can enter your product: parameters or arguments, cookies, anything read from the network, environment variables, request headers as well as content, URL components, e-mail, files, databases, and any external systems that provide data to the application. Perform input validation at well-defined interfaces.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References
Timeline
Related Vulnerabilities
CVE-2026-33663 10.0 n8n: member role steals plaintext HTTP credentials
Same package: n8n CVE-2026-33660 10.0 TensorFlow: type confusion NPD in tensor conversion
Same package: n8n CVE-2026-21858 10.0 n8n: Input Validation flaw enables exploitation
Same package: n8n CVE-2026-27577 9.9 n8n: Code Injection enables RCE
Same package: n8n CVE-2026-27494 9.9 n8n: security flaw enables exploitation
Same package: n8n