PT-2026-40934 · N8N · N8N
Published
2026-05-14
·
Updated
2026-05-20
·
CVE-2026-44790
CVSS v4.0
9.4
Critical
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
Name of the Vulnerable Software and Affected Versions
n8n versions prior to 1.123.43
n8n versions prior to 2.20.7
n8n versions prior to 2.22.1
Description
An authenticated user with permissions to create or modify workflows can inject CLI flags during the Push operation of the Git node. This allows the attacker to read arbitrary files from the server, which can lead to a full system compromise and server-level remote code execution (RCE) by breaking sandboxes.
Recommendations
Update to version 1.123.43 or later.
Update to version 2.20.7 or later.
Update to version 2.22.1 or later.
Limit workflow creation and editing permissions to fully trusted users only.
Disable the Git node by adding
n8n-nodes-base.git to the NODES EXCLUDE environment variable.Fix
Argument Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
N8N