{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-44789/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["n8n"],"_cs_severities":["critical"],"_cs_tags":["prototype-pollution","rce","cve-2026-44789","n8n"],"_cs_type":"advisory","_cs_vendors":["n8n GmbH"],"content_html":"\u003cp\u003eA critical vulnerability exists in the n8n HTTP Request node that could allow an authenticated user to achieve remote code execution (RCE). The vulnerability stems from insufficient validation of pagination parameters within the HTTP Request node, leading to global prototype pollution. An attacker with permission to create or modify workflows can exploit this by injecting malicious payloads via the pagination settings. This vulnerability affects n8n versions prior to 1.123.43, versions 2.21.0 to 2.22.1, and versions 2.0.0-rc.0 to 2.20.7. Successful exploitation grants the attacker the ability to execute arbitrary code on the n8n instance.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated user logs into the n8n instance.\u003c/li\u003e\n\u003cli\u003eThe user creates or modifies an existing workflow.\u003c/li\u003e\n\u003cli\u003eWithin the workflow, the user adds an HTTP Request node.\u003c/li\u003e\n\u003cli\u003eThe user configures the HTTP Request node to use pagination.\u003c/li\u003e\n\u003cli\u003eThe user injects a malicious payload into the pagination parameter, exploiting the prototype pollution vulnerability.\u003c/li\u003e\n\u003cli\u003eThe injected payload pollutes the global prototype.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the prototype pollution to achieve code execution, potentially by overwriting critical functions or properties.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary commands on the n8n instance, potentially leading to complete system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability, tracked as CVE-2026-44789, allows an attacker to execute arbitrary code on the n8n instance. This could lead to complete system compromise, data theft, or denial of service. The severity is rated as critical due to the potential for RCE and the relatively low skill required to exploit the vulnerability. Organizations using vulnerable versions of n8n are at significant risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade n8n to version 1.123.43, 2.20.7, 2.22.1, or later to patch CVE-2026-44789 (see Patches section).\u003c/li\u003e\n\u003cli\u003eLimit workflow creation and editing permissions to only fully trusted users as a short-term mitigation (see Workarounds section).\u003c/li\u003e\n\u003cli\u003eDisable the HTTP Request node by adding \u003ccode\u003en8n-nodes-base.httpRequest\u003c/code\u003e to the \u003ccode\u003eNODES_EXCLUDE\u003c/code\u003e environment variable as another temporary mitigation (see Workarounds section).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T16:23:16Z","date_published":"2026-05-14T16:23:16Z","id":"https://feed.craftedsignal.io/briefs/2026-05-n8n-rce/","summary":"An authenticated user with workflow creation/modification permissions in n8n can achieve remote code execution (RCE) via global prototype pollution in the HTTP Request node due to an unvalidated pagination parameter, as tracked by CVE-2026-44789.","title":"n8n HTTP Request Node Prototype Pollution Vulnerability Leads to RCE (CVE-2026-44789)","url":"https://feed.craftedsignal.io/briefs/2026-05-n8n-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-44789","version":"https://jsonfeed.org/version/1.1"}