CVE-2026-33724

Name of the Vulnerable Software and Affected Versions n8n versions prior to 2.5.0

Description n8n is a workflow automation platform. When the Source Control feature is configured to use SSH, the SSH command used for git operations explicitly disabled host key verification. A network attacker positioned between the n8n instance and the remote Git server could intercept the connection and present a fraudulent host key, potentially injecting malicious content into workflows or intercepting repository data. This issue only affects instances where the Source Control feature has been explicitly enabled and configured to use SSH (non-default). The attack involves a man-in-the-middle position to intercept communication between the n8n instance and the Git server.

Recommendations Versions prior to 2.5.0 should be upgraded to version 2.5.0 or later. If upgrading is not immediately possible, disable the Source Control feature if it is not actively required. If upgrading is not immediately possible, restrict network access to ensure the n8n instance communicates with the Git server only over trusted, controlled network paths.