Critical n8n Vulnerabilities Expose Automation and Workflow Infrastructure to RCE

Overview

Several critical vulnerabilities in the workflow automation platform n8n are raising serious security concerns after researchers confirmed chained exploitation paths leading to Remote Code Execution (RCE) and full compromise of affected environments.

The vulnerabilities impact key n8n nodes, including:

• HTTP Request
• Git
• XML

and allow low-privileged users with workflow editing access to escalate attacks into full instance compromise.

Why This Matters

n8n is widely used for:

• workflow automation
• API orchestration
• AI integrations
• DevOps automation
• SaaS connectivity
• internal business process automation

As a result, the platform often has direct access to:

• API keys
• cloud credentials
• internal systems
• Git repositories
• CI/CD environments
• sensitive operational data

This makes these vulnerabilities far more than isolated software flaws.

The Vulnerabilities

CVE-2026-44789. Prototype Pollution in HTTP Request Node

The most severe vulnerability enables prototype pollution due to insufficient validation of pagination parameters.

This allows attackers to:

• manipulate JavaScript object prototypes
• inject malicious properties
• chain the flaw into arbitrary code execution

In automation-heavy environments, this significantly expands the attack surface.

CVE-2026-44790. Argument Injection in Git Node

The second vulnerability affects the Git node and allows malicious CLI argument injection during Git operations.

Attackers may:

• read arbitrary files
• access configuration data
• extract environment variables
• compromise credentials

In some environments, this can directly lead to full system compromise.

CVE-2026-44791. XML Node Patch Bypass

The third issue bypasses a previous security fix in the XML node.

Researchers report that attackers can abuse alternate exploitation paths to reintroduce prototype pollution risks even in partially patched environments.

Affected Versions

According to published advisories, affected versions include:

• n8n versions prior to 1.123.43
• 2.20.7
• 2.22.1

Security patches are already available and organizations are strongly encouraged to update immediately.

Broader Security Implications

This case highlights a broader security challenge surrounding modern automation platforms.

Within orchestration environments like n8n:

• a single compromised node may expose multiple systems
• workflows often operate with elevated permissions
• automation chains connect cloud, SaaS, and internal services
• secrets are frequently embedded directly in workflows

Compromise of the automation layer may therefore enable:

• lateral movement
• credential theft
• cloud compromise
• CI/CD abuse
• operational disruption

DIAMATIX Perspective

Automation platforms are increasingly becoming part of the modern attack surface.

As organizations expand usage of:

• AI agents
• workflow automation
• low-code orchestration
• API chaining

security visibility across these environments becomes critical.

These platforms often operate with:

• elevated privileges
• production integrations
• cloud identities
• sensitive business logic

while monitoring and segmentation around automation infrastructure frequently remain limited.

CISO Analysis

These vulnerabilities demonstrate why workflow orchestration systems should be treated as critical infrastructure.

Organizations need visibility into:

• workflow execution behavior
• privileged automation actions
• secrets exposure
• unusual node activity
• API abuse patterns
• internal system access originating from automation platforms

Particular attention should be given to:

• restricting workflow editing permissions
• segmentation of automation environments
• outbound traffic monitoring
• integration and secret inventory management

What this means for your environment

• This type of attack relies on compromised automation workflows and interconnected systems, not just a single software flaw
• Detection depends on visibility into workflow behavior, node execution, and privileged automation activity
• Response requires rapid patching, segmentation, and monitoring of automation environments

 Do you have visibility into automation workflows connected to production systems?
Could your environment detect suspicious execution activity inside orchestration platforms?
See how these attack chains are investigated and handled in real operational environments.

Contact DIAMATIX

Trusted · Innovative · Vigilant

Sources

• GitHub Security Advisories
• Public disclosure by security researcher Jubke
• n8n Security Updates
• Industry vulnerability reporting and technical analysis (May 2026)

This article is based on publicly available threat intelligence information as of May 2026