CVE-2026-44791 — CRITICAL

Q: Is CVE-2026-44791 actively exploited?

No confirmed active exploitation of CVE-2026-44791 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-44791?

1. PATCH IMMEDIATELY: Upgrade to n8n 1.123.43, 2.20.7, or 2.22.1 — these are the fixed versions per the advisory. 2. INTERIM WORKAROUND (if patching is delayed): Restrict workflow creation and editing permissions to the minimum set of fully trusted users; add n8n-nodes-base.xml to the NODES_EXCLUDE environment variable to disable the XML node entirely. 3. AUDIT: Review all existing workflows for unauthorized XML node usage or suspicious node combinations that could indicate exploitation attempts; check n8n host for unexpected processes, outbound connections, or new files post-login events. 4. CREDENTIAL ROTATION: If n8n was internet-accessible with non-minimal workflow editor permissions, treat stored credentials (API keys, database connections, webhook secrets) as potentially compromised and rotate them. 5. DETECTION: Alert on n8n process spawning unexpected child processes; monitor for unexpected network connections originating from the n8n host.

Q: What systems are affected by CVE-2026-44791?

This vulnerability affects the following AI/ML architecture patterns: AI workflow orchestration platforms, LLM integration pipelines, AI agent automation frameworks, Multi-model orchestration deployments, No-code/low-code AI builder environments.

Q: What is the CVSS score for CVE-2026-44791?

No CVSS score has been assigned yet.

CISO Take

An authenticated n8n user with workflow creation or editing rights can exploit a prototype pollution flaw (CWE-1321) in the XML processing node to bypass a previously issued security fix (GHSA-hqr4-h3xv-9m3r) and achieve remote code execution on the n8n host. This is especially critical for AI-driven environments where n8n serves as the orchestration layer connecting LLMs, vector databases, and cloud APIs — full host compromise exposes every stored API key, webhook secret, and data pipeline configured in those workflows. No public exploit or Nuclei scanner template exists yet and the CVE is not in CISA KEV, but the CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, scoring 9.9) signals low attack complexity once any workflow editor account is obtained, including via phishing or credential reuse. Patch immediately to n8n 1.123.43, 2.20.7, or 2.22.1; if patching is not feasible, restrict workflow editing to fully trusted users and add n8n-nodes-base.xml to the NODES_EXCLUDE environment variable as an interim control.

Sources: GitHub Advisory NVD OpenSSF ATLAS

What is the risk?

Critical risk. CVSS 3.1 scores at 9.9 with a network-accessible, low-complexity, low-privilege attack vector and changed scope — meaning a successful exploit breaks out of the n8n application boundary and impacts the underlying host. The patch bypass nature of the vulnerability (circumventing GHSA-hqr4-h3xv-9m3r) indicates adversarial familiarity with the codebase and raises the likelihood of targeted exploitation by researchers who already studied the original advisory. With 80 prior CVEs in the same package and an OpenSSF Scorecard of 6.1/10, the package has a concerning security posture. No known active exploitation at time of publication, but the low exploitation complexity and critical impact justify immediate remediation.

Attack Kill Chain

Initial Access

Adversary authenticates to n8n using any account with workflow creation or editing permissions, obtained via phishing, credential reuse, or a compromised service account.

AML.T0012

Vulnerability Exploitation

Adversary creates or modifies a workflow incorporating the XML node with a prototype pollution payload that bypasses the GHSA-hqr4-h3xv-9m3r patch, chaining it with additional n8n nodes to trigger code execution.

AML.T0049

Code Execution on Host

The crafted workflow executes, achieving RCE in the context of the n8n server process on the host, granting full control of the underlying system.

AML.T0050

Credential Harvest and Pivot

Adversary extracts the n8n credential store containing API keys for all integrated LLM APIs, databases, and cloud services, then pivots laterally to connected AI infrastructure.

AML.T0083

Initial Access

Adversary authenticates to n8n using any account with workflow creation or editing permissions, obtained via phishing, credential reuse, or a compromised service account.

AML.T0012

Vulnerability Exploitation

Adversary creates or modifies a workflow incorporating the XML node with a prototype pollution payload that bypasses the GHSA-hqr4-h3xv-9m3r patch, chaining it with additional n8n nodes to trigger code execution.

AML.T0049

Code Execution on Host

The crafted workflow executes, achieving RCE in the context of the n8n server process on the host, granting full control of the underlying system.

AML.T0050

Credential Harvest and Pivot

Adversary extracts the n8n credential store containing API keys for all integrated LLM APIs, databases, and cloud services, then pivots laterally to connected AI infrastructure.

AML.T0083

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	< 1.123.43	`1.123.43`
187.3K OpenSSF 6.1 16 dependents Pushed 4d ago 43% patched ~3d to patch Full package profile →

Do you use n8n? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

5 steps

PATCH IMMEDIATELY

Upgrade to n8n 1.123.43, 2.20.7, or 2.22.1 — these are the fixed versions per the advisory.
INTERIM WORKAROUND (if patching is delayed): Restrict workflow creation and editing permissions to the minimum set of fully trusted users; add n8n-nodes-base.xml to the NODES_EXCLUDE environment variable to disable the XML node entirely.
AUDIT

Review all existing workflows for unauthorized XML node usage or suspicious node combinations that could indicate exploitation attempts; check n8n host for unexpected processes, outbound connections, or new files post-login events.
CREDENTIAL ROTATION

If n8n was internet-accessible with non-minimal workflow editor permissions, treat stored credentials (API keys, database connections, webhook secrets) as potentially compromised and rotate them.
DETECTION

Alert on n8n process spawning unexpected child processes; monitor for unexpected network connections originating from the n8n host.

Classification

Code Execution Auth Bypass Data Extraction Agent Framework Plugin AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0083 - Credentials from AI Agent Configuration

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity Article 9 - Risk Management System

ISO 42001

A.6.4 - AI System Implementation and Operation Security

NIST AI RMF

MANAGE 2.2 - Risk Treatment and Remediation

OWASP LLM Top 10

LLM05:2025 - Supply Chain Vulnerabilities LLM08:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-44791?

An authenticated n8n user with workflow creation or editing rights can exploit a prototype pollution flaw (CWE-1321) in the XML processing node to bypass a previously issued security fix (GHSA-hqr4-h3xv-9m3r) and achieve remote code execution on the n8n host. This is especially critical for AI-driven environments where n8n serves as the orchestration layer connecting LLMs, vector databases, and cloud APIs — full host compromise exposes every stored API key, webhook secret, and data pipeline configured in those workflows. No public exploit or Nuclei scanner template exists yet and the CVE is not in CISA KEV, but the CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, scoring 9.9) signals low attack complexity once any workflow editor account is obtained, including via phishing or credential reuse. Patch immediately to n8n 1.123.43, 2.20.7, or 2.22.1; if patching is not feasible, restrict workflow editing to fully trusted users and add n8n-nodes-base.xml to the NODES_EXCLUDE environment variable as an interim control.

Is CVE-2026-44791 actively exploited?

No confirmed active exploitation of CVE-2026-44791 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-44791?

1. PATCH IMMEDIATELY: Upgrade to n8n 1.123.43, 2.20.7, or 2.22.1 — these are the fixed versions per the advisory. 2. INTERIM WORKAROUND (if patching is delayed): Restrict workflow creation and editing permissions to the minimum set of fully trusted users; add n8n-nodes-base.xml to the NODES_EXCLUDE environment variable to disable the XML node entirely. 3. AUDIT: Review all existing workflows for unauthorized XML node usage or suspicious node combinations that could indicate exploitation attempts; check n8n host for unexpected processes, outbound connections, or new files post-login events. 4. CREDENTIAL ROTATION: If n8n was internet-accessible with non-minimal workflow editor permissions, treat stored credentials (API keys, database connections, webhook secrets) as potentially compromised and rotate them. 5. DETECTION: Alert on n8n process spawning unexpected child processes; monitor for unexpected network connections originating from the n8n host.

What systems are affected by CVE-2026-44791?

This vulnerability affects the following AI/ML architecture patterns: AI workflow orchestration platforms, LLM integration pipelines, AI agent automation frameworks, Multi-model orchestration deployments, No-code/low-code AI builder environments.

What is the CVSS score for CVE-2026-44791?

No CVSS score has been assigned yet.

Technical Details

NVD Description

## Impact An authenticated user with permission to create or modify workflows could bypass the patch for GHSA-hqr4-h3xv-9m3r in the XML node. When combined with other nodes, this could lead to RCE on the n8n host. ## Patches The issue has been fixed in n8n versions 1.123.43, 2.20.7, and 2.22.1. Users should upgrade to one of these versions or later to remediate the vulnerability. ## Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Limit workflow creation and editing permissions to fully trusted users only. - Disable the XML node by adding `n8n-nodes-base.xml` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures. --- n8n has adopted CVSS 4.0 as primary score for all security advisories. CVSS 3.1 vector strings are provided for backwards compatibility. CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Exploitation Scenario

An adversary with a low-privileged n8n account (obtained via phishing a developer, credential stuffing, or a compromised CI/CD service account) navigates to the workflow editor. They create or modify a workflow that incorporates the XML processing node, crafting an XML payload exploiting the prototype pollution weakness that bypasses the GHSA-hqr4-h3xv-9m3r patch. By chaining the malicious XML node with n8n's Execute Command or HTTP Request nodes, they achieve code execution in the context of the n8n server process. From there, they extract the n8n credential store — containing API keys for OpenAI, Anthropic, connected databases, and SaaS integrations — and establish a reverse shell or deploy a persistent implant. The entire kill chain requires only a valid workflow editor account and knowledge of the original patch bypass, with no user interaction needed beyond triggering workflow execution.