Cve-2026-44789 — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/cve-2026-44789/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 14 May 2026 16:23:16 +0000n8n HTTP Request Node Prototype Pollution Vulnerability Leads to RCE (CVE-2026-44789)https://feed.craftedsignal.io/briefs/2026-05-n8n-rce/Thu, 14 May 2026 16:23:16 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-n8n-rce/An authenticated user with workflow creation/modification permissions in n8n can achieve remote code execution (RCE) via global prototype pollution in the HTTP Request node due to an unvalidated pagination parameter, as tracked by CVE-2026-44789.A critical vulnerability exists in the n8n HTTP Request node that could allow an authenticated user to achieve remote code execution (RCE). The vulnerability stems from insufficient validation of pagination parameters within the HTTP Request node, leading to global prototype pollution. An attacker with permission to create or modify workflows can exploit this by injecting malicious payloads via the pagination settings. This vulnerability affects n8n versions prior to 1.123.43, versions 2.21.0 to 2.22.1, and versions 2.0.0-rc.0 to 2.20.7. Successful exploitation grants the attacker the ability to execute arbitrary code on the n8n instance.

Attack Chain

  1. An authenticated user logs into the n8n instance.
  2. The user creates or modifies an existing workflow.
  3. Within the workflow, the user adds an HTTP Request node.
  4. The user configures the HTTP Request node to use pagination.
  5. The user injects a malicious payload into the pagination parameter, exploiting the prototype pollution vulnerability.
  6. The injected payload pollutes the global prototype.
  7. The attacker leverages the prototype pollution to achieve code execution, potentially by overwriting critical functions or properties.
  8. The attacker executes arbitrary commands on the n8n instance, potentially leading to complete system compromise.

Impact

Successful exploitation of this vulnerability, tracked as CVE-2026-44789, allows an attacker to execute arbitrary code on the n8n instance. This could lead to complete system compromise, data theft, or denial of service. The severity is rated as critical due to the potential for RCE and the relatively low skill required to exploit the vulnerability. Organizations using vulnerable versions of n8n are at significant risk.

Recommendation

  • Upgrade n8n to version 1.123.43, 2.20.7, 2.22.1, or later to patch CVE-2026-44789 (see Patches section).
  • Limit workflow creation and editing permissions to only fully trusted users as a short-term mitigation (see Workarounds section).
  • Disable the HTTP Request node by adding n8n-nodes-base.httpRequest to the NODES_EXCLUDE environment variable as another temporary mitigation (see Workarounds section).
]]>criticaladvisoryprototype-pollutionrcecve-2026-44789n8n