CVE-2026-44791: n8n XML node patch bypass enables

Q: Is CVE-2026-44791 actively exploited?

No confirmed active exploitation of CVE-2026-44791 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-44791?

1. PATCH IMMEDIATELY: Upgrade to n8n 1.123.43, 2.20.7, or 2.22.1 — these are the fixed versions per the advisory. 2. INTERIM WORKAROUND (if patching is delayed): Restrict workflow creation and editing permissions to the minimum set of fully trusted users; add n8n-nodes-base.xml to the NODES_EXCLUDE environment variable to disable the XML node entirely. 3. AUDIT: Review all existing workflows for unauthorized XML node usage or suspicious node combinations that could indicate exploitation attempts; check n8n host for unexpected processes, outbound connections, or new files post-login events. 4. CREDENTIAL ROTATION: If n8n was internet-accessible with non-minimal workflow editor permissions, treat stored credentials (API keys, database connections, webhook secrets) as potentially compromised and rotate them. 5. DETECTION: Alert on n8n process spawning unexpected child processes; monitor for unexpected network connections originating from the n8n host.

Q: What systems are affected by CVE-2026-44791?

This vulnerability affects the following AI/ML architecture patterns: AI workflow orchestration platforms, LLM integration pipelines, AI agent automation frameworks, Multi-model orchestration deployments, No-code/low-code AI builder environments.

Q: What is the CVSS score for CVE-2026-44791?

CVE-2026-44791 has a CVSS v3.1 base score of 9.9 (CRITICAL). The EPSS exploitation probability is 0.63%.

CISO Take

An authenticated n8n user with workflow creation or editing rights can exploit a prototype pollution flaw (CWE-1321) in the XML processing node to bypass a previously issued security fix (GHSA-hqr4-h3xv-9m3r) and achieve remote code execution on the n8n host. This is especially critical for AI-driven environments where n8n serves as the orchestration layer connecting LLMs, vector databases, and cloud APIs — full host compromise exposes every stored API key, webhook secret, and data pipeline configured in those workflows. No public exploit or Nuclei scanner template exists yet and the CVE is not in CISA KEV, but the CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, scoring 9.9) signals low attack complexity once any workflow editor account is obtained, including via phishing or credential reuse. Patch immediately to n8n 1.123.43, 2.20.7, or 2.22.1; if patching is not feasible, restrict workflow editing to fully trusted users and add n8n-nodes-base.xml to the NODES_EXCLUDE environment variable as an interim control.

Sources: GitHub Advisory NVD OpenSSF ATLAS

What is the risk?

Critical risk. CVSS 3.1 scores at 9.9 with a network-accessible, low-complexity, low-privilege attack vector and changed scope — meaning a successful exploit breaks out of the n8n application boundary and impacts the underlying host. The patch bypass nature of the vulnerability (circumventing GHSA-hqr4-h3xv-9m3r) indicates adversarial familiarity with the codebase and raises the likelihood of targeted exploitation by researchers who already studied the original advisory. With 80 prior CVEs in the same package and an OpenSSF Scorecard of 6.1/10, the package has a concerning security posture. No known active exploitation at time of publication, but the low exploitation complexity and critical impact justify immediate remediation.

How does the attack unfold?

Initial Access

Adversary authenticates to n8n using any account with workflow creation or editing permissions, obtained via phishing, credential reuse, or a compromised service account.

AML.T0012

Vulnerability Exploitation

Adversary creates or modifies a workflow incorporating the XML node with a prototype pollution payload that bypasses the GHSA-hqr4-h3xv-9m3r patch, chaining it with additional n8n nodes to trigger code execution.

AML.T0049

Code Execution on Host

The crafted workflow executes, achieving RCE in the context of the n8n server process on the host, granting full control of the underlying system.

AML.T0050

Credential Harvest and Pivot

Adversary extracts the n8n credential store containing API keys for all integrated LLM APIs, databases, and cloud services, then pivots laterally to connected AI infrastructure.

AML.T0083

Initial Access

Adversary authenticates to n8n using any account with workflow creation or editing permissions, obtained via phishing, credential reuse, or a compromised service account.

AML.T0012

Vulnerability Exploitation

Adversary creates or modifies a workflow incorporating the XML node with a prototype pollution payload that bypasses the GHSA-hqr4-h3xv-9m3r patch, chaining it with additional n8n nodes to trigger code execution.

AML.T0049

Code Execution on Host

The crafted workflow executes, achieving RCE in the context of the n8n server process on the host, granting full control of the underlying system.

AML.T0050

Credential Harvest and Pivot

Adversary extracts the n8n credential store containing API keys for all integrated LLM APIs, databases, and cloud services, then pivots laterally to connected AI infrastructure.

AML.T0083

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	< 1.123.43	`1.123.43`
194.3K OpenSSF 6.6 Pushed today 54% patched ~7d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1

9.9 / 10

EPSS

0.6%

chance of exploitation in 30 days

Higher than 46% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Changed

C High

I High

A High

What should I do?

5 steps

PATCH IMMEDIATELY

Upgrade to n8n 1.123.43, 2.20.7, or 2.22.1 — these are the fixed versions per the advisory.
INTERIM WORKAROUND (if patching is delayed): Restrict workflow creation and editing permissions to the minimum set of fully trusted users; add n8n-nodes-base.xml to the NODES_EXCLUDE environment variable to disable the XML node entirely.
AUDIT

Review all existing workflows for unauthorized XML node usage or suspicious node combinations that could indicate exploitation attempts; check n8n host for unexpected processes, outbound connections, or new files post-login events.
CREDENTIAL ROTATION

If n8n was internet-accessible with non-minimal workflow editor permissions, treat stored credentials (API keys, database connections, webhook secrets) as potentially compromised and rotate them.
DETECTION

Alert on n8n process spawning unexpected child processes; monitor for unexpected network connections originating from the n8n host.

How is it classified?

Code Execution Auth Bypass Data Extraction Agent Framework Plugin AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0083 - Credentials from AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity Article 9 - Risk Management System

ISO 42001

A.6.4 - AI System Implementation and Operation Security

NIST AI RMF

MANAGE 2.2 - Risk Treatment and Remediation

OWASP LLM Top 10

LLM05:2025 - Supply Chain Vulnerabilities LLM08:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-44791?

An authenticated n8n user with workflow creation or editing rights can exploit a prototype pollution flaw (CWE-1321) in the XML processing node to bypass a previously issued security fix (GHSA-hqr4-h3xv-9m3r) and achieve remote code execution on the n8n host. This is especially critical for AI-driven environments where n8n serves as the orchestration layer connecting LLMs, vector databases, and cloud APIs — full host compromise exposes every stored API key, webhook secret, and data pipeline configured in those workflows. No public exploit or Nuclei scanner template exists yet and the CVE is not in CISA KEV, but the CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, scoring 9.9) signals low attack complexity once any workflow editor account is obtained, including via phishing or credential reuse. Patch immediately to n8n 1.123.43, 2.20.7, or 2.22.1; if patching is not feasible, restrict workflow editing to fully trusted users and add n8n-nodes-base.xml to the NODES_EXCLUDE environment variable as an interim control.

Is CVE-2026-44791 actively exploited?

No confirmed active exploitation of CVE-2026-44791 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-44791?

1. PATCH IMMEDIATELY: Upgrade to n8n 1.123.43, 2.20.7, or 2.22.1 — these are the fixed versions per the advisory. 2. INTERIM WORKAROUND (if patching is delayed): Restrict workflow creation and editing permissions to the minimum set of fully trusted users; add n8n-nodes-base.xml to the NODES_EXCLUDE environment variable to disable the XML node entirely. 3. AUDIT: Review all existing workflows for unauthorized XML node usage or suspicious node combinations that could indicate exploitation attempts; check n8n host for unexpected processes, outbound connections, or new files post-login events. 4. CREDENTIAL ROTATION: If n8n was internet-accessible with non-minimal workflow editor permissions, treat stored credentials (API keys, database connections, webhook secrets) as potentially compromised and rotate them. 5. DETECTION: Alert on n8n process spawning unexpected child processes; monitor for unexpected network connections originating from the n8n host.

What systems are affected by CVE-2026-44791?

This vulnerability affects the following AI/ML architecture patterns: AI workflow orchestration platforms, LLM integration pipelines, AI agent automation frameworks, Multi-model orchestration deployments, No-code/low-code AI builder environments.

What is the CVSS score for CVE-2026-44791?

CVE-2026-44791 has a CVSS v3.1 base score of 9.9 (CRITICAL). The EPSS exploitation probability is 0.63%.

What is the AI security impact?

Affected AI Architectures

AI workflow orchestration platformsLLM integration pipelinesAI agent automation frameworksMulti-model orchestration deploymentsNo-code/low-code AI builder environments

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

AML.T0053 AI Agent Tool Invocation

AML.T0083 Credentials from AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 15, Article 9

ISO 42001: A.6.4

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM05:2025, LLM08:2025

What are the technical details?

Original Advisory

n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, an authenticated user with permission to create or modify workflows could bypass the patch for CVE-2026-42232 in the XML node. When combined with other nodes, this could lead to RCE on the n8n host. This vulnerability is fixed in 1.123.43, 2.22.1, and 2.20.7.

Exploitation Scenario

An adversary with a low-privileged n8n account (obtained via phishing a developer, credential stuffing, or a compromised CI/CD service account) navigates to the workflow editor. They create or modify a workflow that incorporates the XML processing node, crafting an XML payload exploiting the prototype pollution weakness that bypasses the GHSA-hqr4-h3xv-9m3r patch. By chaining the malicious XML node with n8n's Execute Command or HTTP Request nodes, they achieve code execution in the context of the n8n server process. From there, they extract the n8n credential store — containing API keys for OpenAI, Anthropic, connected databases, and SaaS integrations — and establish a reverse shell or deploy a persistent implant. The entire kill chain requires only a valid workflow editor account and knowledge of the original patch bypass, with no user interaction needed beyond triggering workflow execution.

Weaknesses (CWE)

CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') Primary CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

CWE-1321 — Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'): The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

[Implementation] By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.
[Architecture and Design] By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.

Source: MITRE CWE corpus.