CVE-2026-44789

Name of the Vulnerable Software and Affected Versions n8n versions prior to 1.123.43 n8n versions prior to 2.20.7 n8n versions prior to 2.22.1

Description An authenticated user with permissions to create or modify workflows can achieve global prototype pollution through an unvalidated pagination parameter in the HTTP Request node. Prototype pollution occurs when an application allows an attacker to modify the prototype of a base object, potentially altering the behavior of all objects created from that prototype. This issue can be combined with other techniques to result in Remote Code Execution (RCE) on the instance.

Recommendations Update to version 1.123.43 or later. Update to version 2.20.7 or later. Update to version 2.22.1 or later. Limit workflow creation and editing permissions to fully trusted users only. Disable the HTTP Request node by adding n8n-nodes-base.httpRequest to the NODES EXCLUDE environment variable.