CVE-2026-44790: n8n: Git node arg injection enables full server compromise

GHSA-57g9-58c2-xjg3 HIGH
Published May 14, 2026
CISO Take

n8n's Git node Push operation contains a critical argument injection flaw (CWE-88, CVSS:3.1 ~9.9) that allows any authenticated user with workflow creation or editing rights to inject arbitrary CLI flags into the underlying git binary — enabling direct read of any file on the n8n server filesystem. In AI automation deployments, n8n servers routinely hold AI provider API keys (OpenAI, Anthropic, Google), database connection strings, and SSH private keys in environment files, making this a near-instant path to full environment compromise across every integrated AI service. No public exploit or CISA KEV entry exists yet, but the attack requires only a valid user account with no additional interaction (CVSS AC:L, PR:L, UI:N), and n8n's broad adoption in enterprise AI orchestration pipelines makes this a high-priority target for weaponization. Patch immediately to n8n 1.123.43, 2.20.7, or 2.22.1; if patching is delayed, restrict workflow permissions to fully trusted administrators and disable the Git node by adding n8n-nodes-base.git to NODES_EXCLUDE.

Sources: GitHub Advisory NVD ATLAS OpenSSF

What is the risk?

Critical risk for any organization running n8n as part of an AI agent or automation pipeline. The CVSS:3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) scores approximately 9.9, reflecting network-exploitable, low-complexity exploitation requiring only authenticated access — a standard developer or analyst account. In multi-user n8n deployments common in enterprise AI environments, the attacker population includes contractors, analysts, and developers who routinely hold workflow permissions. The package carries 80 prior CVEs and an OpenSSF Scorecard of 6.1/10, indicating elevated security debt. While no exploit code is public, the technique (CLI flag injection via untrusted input) is well-understood and requires no specialized AI knowledge, making this trivially weaponizable once details circulate.

How does the attack unfold?

Initial Access
Attacker authenticates to n8n using a valid low-privilege account with workflow creation or editing permissions, obtainable via phishing, credential stuffing, or compromised contractor access.
AML.T0012
Exploitation
Attacker creates or modifies a workflow containing a Git node Push operation, injecting malicious CLI flags (e.g., --upload-pack, -c core.sshCommand) into the repository or branch field; n8n passes these unsanitized to the underlying git binary.
AML.T0049
Credential Harvest
Injected flags cause the n8n server to read and return arbitrary files from the local filesystem, targeting .env files, AI provider API keys (OpenAI, Anthropic), database passwords, and SSH private keys.
AML.T0037
Full Compromise
Harvested credentials enable lateral movement: attacker accesses AI provider accounts, exfiltrates model configurations and proprietary prompts, pivots to connected databases, and injects malicious instructions into live AI pipelines.
AML.T0106

What systems are affected?

Package Ecosystem Vulnerable Range Patched
n8n npm < 1.123.43 1.123.43
194.3K OpenSSF 6.6 Pushed 6d ago 53% patched ~7d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1
8.8 / 10
EPSS
0.6%
chance of exploitation in 30 days
Higher than 46% of all CVEs
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

What should I do?

6 steps
  1. PATCH IMMEDIATELY

    Upgrade to n8n 1.123.43, 2.20.7, or 2.22.1 — these are the only complete remediations.

  2. INTERIM — RESTRICT PERMISSIONS: Remove workflow creation and editing rights from all non-essential users; limit to fully trusted administrators only until patching is complete.

  3. INTERIM — DISABLE GIT NODE: Add n8n-nodes-base.git to the NODES_EXCLUDE environment variable to fully disable the vulnerable component with zero downtime.

  4. ROTATE CREDENTIALS

    Immediately audit and rotate all credentials stored in n8n environment files and the n8n credentials store — prioritize AI provider API keys, database passwords, and any cloud provider secrets.

  5. NETWORK ISOLATION

    Verify n8n instances are not directly internet-exposed; enforce network segmentation and firewall rules to limit attacker access surface.

  6. DETECTION

    Review n8n workflow audit logs for Git node executions with anomalous flag patterns or unexpected repository paths; monitor server filesystem access logs and outbound network connections for unusual patterns post-workflow execution.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
8.4 - AI system risk treatment A.6.2 - AI system security
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain the value of deployed AI
OWASP LLM Top 10
LLM02:2025 - Sensitive Information Disclosure LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-44790?

n8n's Git node Push operation contains a critical argument injection flaw (CWE-88, CVSS:3.1 ~9.9) that allows any authenticated user with workflow creation or editing rights to inject arbitrary CLI flags into the underlying git binary — enabling direct read of any file on the n8n server filesystem. In AI automation deployments, n8n servers routinely hold AI provider API keys (OpenAI, Anthropic, Google), database connection strings, and SSH private keys in environment files, making this a near-instant path to full environment compromise across every integrated AI service. No public exploit or CISA KEV entry exists yet, but the attack requires only a valid user account with no additional interaction (CVSS AC:L, PR:L, UI:N), and n8n's broad adoption in enterprise AI orchestration pipelines makes this a high-priority target for weaponization. Patch immediately to n8n 1.123.43, 2.20.7, or 2.22.1; if patching is delayed, restrict workflow permissions to fully trusted administrators and disable the Git node by adding n8n-nodes-base.git to NODES_EXCLUDE.

Is CVE-2026-44790 actively exploited?

No confirmed active exploitation of CVE-2026-44790 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-44790?

1. PATCH IMMEDIATELY: Upgrade to n8n 1.123.43, 2.20.7, or 2.22.1 — these are the only complete remediations. 2. INTERIM — RESTRICT PERMISSIONS: Remove workflow creation and editing rights from all non-essential users; limit to fully trusted administrators only until patching is complete. 3. INTERIM — DISABLE GIT NODE: Add n8n-nodes-base.git to the NODES_EXCLUDE environment variable to fully disable the vulnerable component with zero downtime. 4. ROTATE CREDENTIALS: Immediately audit and rotate all credentials stored in n8n environment files and the n8n credentials store — prioritize AI provider API keys, database passwords, and any cloud provider secrets. 5. NETWORK ISOLATION: Verify n8n instances are not directly internet-exposed; enforce network segmentation and firewall rules to limit attacker access surface. 6. DETECTION: Review n8n workflow audit logs for Git node executions with anomalous flag patterns or unexpected repository paths; monitor server filesystem access logs and outbound network connections for unusual patterns post-workflow execution.

What systems are affected by CVE-2026-44790?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, LLM orchestration pipelines, MLOps automation pipelines, Agentic workflow automation, CI/CD pipelines with Git integration.

What is the CVSS score for CVE-2026-44790?

CVE-2026-44790 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.63%.

What is the AI security impact?

Affected AI Architectures

AI agent frameworksLLM orchestration pipelinesMLOps automation pipelinesAgentic workflow automationCI/CD pipelines with Git integration

MITRE ATLAS Techniques

AML.T0037 Data from Local System
AML.T0049 Exploit Public-Facing Application
AML.T0050 Command and Scripting Interpreter
AML.T0053 AI Agent Tool Invocation
AML.T0083 Credentials from AI Agent Configuration
AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: 8.4, A.6.2
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM02:2025, LLM06:2025

What are the technical details?

Original Advisory

n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, an authenticated user with permission to create or modify workflows could inject CLI flags on the Git node's Push operation allowing an attacker to read arbitrary files from the n8n server potentially leading to full compromise. This vulnerability is fixed in 1.123.43, 2.22.1, and 2.20.7.

Exploitation Scenario

An attacker compromises or registers a legitimate n8n account with workflow editing permissions — achievable via phishing a developer, exploiting a weak password, or using a contractor account. They create a new workflow containing a Git node configured for a Push operation, injecting CLI flags such as --upload-pack=/bin/cat or -c core.sshCommand into the repository URL or branch field. When the workflow runs, n8n passes these flags unsanitized to the underlying git binary, which executes them in the server OS context. The attacker iterates: first reading /etc/passwd and /proc/1/environ to fingerprint the environment, then targeting /opt/n8n/.env or equivalent paths to harvest AI API keys (OpenAI, Anthropic), database connection strings, and any cloud provider credentials. With those keys, the attacker accesses the organization's OpenAI or Anthropic account, exfiltrates fine-tuned model weights or proprietary system prompts, pivots to connected databases, and potentially injects malicious instructions into live AI agent workflows — achieving persistent access across the entire AI infrastructure stack.

Weaknesses (CWE)

CWE-88 — Improper Neutralization of Argument Delimiters in a Command ('Argument Injection'): The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

  • [Implementation] Where possible, avoid building a single string that contains the command and its arguments. Some languages or frameworks have functions that support specifying independent arguments, e.g. as an array, which is used to automatically perform the appropriate quoting or escaping while building the command. For example, in PHP, escapeshellarg() can be used to escape a single argument to system(), or exec() can be called with an array of arguments. In C, code can often be refactored from using system() - which accepts a single string - to using exec(), which requires separate function arguments for each parameter.
  • [Architecture and Design] Understand all the potential areas where untrusted inputs can enter your product: parameters or arguments, cookies, anything read from the network, environment variables, request headers as well as content, URL components, e-mail, files, databases, and any external systems that provide data to the application. Perform input validation at well-defined interfaces.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

Published
May 14, 2026
Last Modified
June 24, 2026
First Seen
May 14, 2026

Related Vulnerabilities