CVE-2026-44790 · n8n Git node argument injection allows arbitrary file read

01 · The Real Story

This is a lockpick hidden inside the janitor’s badge rather than a brick through the front window

CVE-2026-44790 is an *argument injection* flaw in n8n's Git node during the Push operation. A user who can create or modify workflows can smuggle extra CLI flags into the underlying git command, turning a normal source-control action into arbitrary file read on the n8n server. The reviewed sources point to affected ranges of all 1.x before 1.123.43, 2.0.0-rc.0 through 2.20.6, and 2.21.0 through 2.22.0, with fixes in 1.123.43, 2.20.7, and 2.22.1.

The vendor advisory scores it as critical, but operationally that overshoots reality for most enterprises. This is *not* unauthenticated internet RCE; it requires authenticated access plus workflow-edit capability plus reachability to the Git node push path, which makes it a post-initial-access or insider-abuse problem. The impact is absolutely ugly once those prerequisites are met, but the attacker-position friction is strong enough to land this at = ASSESSED AT HIGH rather than CRITICAL.

"Post-auth and role-limited, but a hostile workflow editor can still turn this into host compromise fast."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Obtain workflow-editor access

The attacker first needs a valid n8n account that can create or modify workflows. In practice this is a compromised user account, over-permissioned integration user, or malicious insider; the advisory's own prerequisite is authenticated access with workflow editing rights.

Conditions required:

Authenticated access to the n8n instance
Permission to create or edit workflows

Where this breaks in practice:

Many enterprises keep n8n behind SSO, VPN, reverse proxy ACLs, or private network exposure
Workflow editing is often limited to admins or automation engineers rather than every user
MFA and IdP logging materially raise the cost of reaching this step

Detection/coverage: Identity telemetry and n8n audit/change logs are the best coverage here; perimeter scanners will not see this prerequisite.

STEP 02

Weaponize the Git node push path

Using the native n8n Git node Push operation referenced in GHSA-57g9-58c2-xjg3, the attacker supplies crafted input that is passed to the backend git CLI without safe argument boundaries. That turns user-controlled workflow data into command-line flag injection rather than a plain Git action.

Conditions required:

The Git node is installed and not excluded with NODES_EXCLUDE
The attacker can execute or save a workflow using the Git node

Where this breaks in practice:

Not every n8n deployment uses the Git node at all
Some teams already disable risky nodes in production
Source-control features may be segregated to a smaller admin population

Detection/coverage: SCA/version scanners can flag vulnerable builds; DAST rarely exercises authenticated workflow design paths deeply enough to catch this.

STEP 03

Read local secrets from the host

The injected git flags can coerce the server-side Git invocation into exposing arbitrary local files. That gives the attacker a clean path to .env, credential material, API tokens, private keys, or other secrets accessible to the n8n process account.

Conditions required:

The n8n process can read sensitive files on disk
Secrets of interest are present on the host or mounted into the container

Where this breaks in practice:

Container isolation, read-only filesystems, and least-privileged service accounts can narrow what is actually readable
Well-segmented secret stores reduce how much long-lived material is available on disk

Detection/coverage: EDR may catch suspicious child-process behavior or unusual file access; application-layer detections are weak unless workflow executions are logged and reviewed.

STEP 04

Pivot from file read to full environment compromise

The advisory explicitly warns that arbitrary file read can lead to full compromise, and that is believable in real n8n estates because the platform commonly holds cloud keys, OAuth tokens, database creds, and internal API secrets. Even without native code execution in the exploit itself, stolen secrets can let the attacker take over the n8n instance, connected SaaS, or the underlying host through secondary access paths.

Conditions required:

Exposed secrets are valid and high privilege
The attacker can reuse the secrets against internal or external systems

Where this breaks in practice:

Short-lived tokens, external secret stores, and scoped service accounts reduce blast radius
Secret rotation and environment hardening can cut the follow-on value quickly

Detection/coverage: Secret-use anomalies, impossible-travel logins, and downstream cloud audit trails may show the second-stage abuse; the original vuln often looks like normal workflow activity.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No reviewed source showed confirmed active exploitation. CISA KEV does not list this CVE, and the public reporting reviewed describes risk and potential chaining, not observed campaigns.
Proof-of-concept availability	I found no public PoC repo for `CVE-2026-44790` in the reviewed sources. Public discussion exists in SecurityOnline and Black Kite, but not a weaponized exploit release.
EPSS	No CVE-specific EPSS figure surfaced in the reviewed sources. Treat EPSS as not yet available / not surfaced rather than low.
KEV status	Not listed in CISA's Known Exploited Vulnerabilities catalog.
Vendor severity and vector	The n8n GitHub advisory marks it Critical 9.4 and provides `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H`. Read that as: remotely reachable and easy to trigger once the attacker already has low privileges inside n8n.
Affected versions	Reviewed sources point to affected branches of `1.x < 1.123.43`, `2.0.0-rc.0` through `2.20.6`, and `2.21.0` through `2.22.0`.
Fixed versions	Patch targets are `1.123.43`, `2.20.7`, and `2.22.1` or later. I found no distro backport guidance in the reviewed sources.
Exposure data	Black Kite cites approximately 60,833 n8n instances discoverable on Shodan. That says the platform is widely exposed, but this flaw still needs authenticated workflow-editor access.
Disclosure and credits	The official advisory was published on 2026-05-13. The GitHub advisory credits Simon Köck as reporter; the advisory page shows Jubke as publisher.
Detection coverage	This is a good SCA / version inventory problem and a bad perimeter scanner problem. External scanning won't prove exploitability because the decisive prerequisites are app auth, RBAC, and node usage.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to HIGH (8.1/10)

The single biggest downward pressure is that exploitation requires authenticated workflow-editor access, which makes this a post-initial-access or insider-abuse path rather than a front-door internet smash-and-grab. It still earns HIGH because n8n commonly concentrates high-value secrets, so once that prerequisite is met the blast radius can jump from one workflow to the host and connected services very quickly.

HIGH Affected versions, fixed versions, and core exploit prerequisite

MEDIUM Real-world exposure prevalence of Git node usage in enterprise deployments

MEDIUM Near-term weaponization likelihood in public exploit tooling

Why this verdict

Downward pressure: requires authenticated remote access — this is not unauthenticated internet exploitation; the attacker must already be in the app.
More downward pressure: requires workflow creation or editing rights — that implies a specific role, not just any session, which narrows the reachable victim population in real deployments.
Additional friction: Git node push path must be present and usable — many enterprises will not expose or rely on this exact node path in every instance.
Upward pressure: blast radius is bigger than 'just file read' — on n8n, arbitrary file read usually means secrets theft, and secrets on an automation hub often unlock the host and downstream SaaS or databases.
No exploitation evidence to force CRITICAL — no KEV listing and no reviewed public PoC means there is no current pressure to override the role-based friction.

Why not higher?

CRITICAL should be reserved for things defenders can expect to be hit from the outside with minimal preconditions or for flaws already being exploited at scale. This one needs a valid account plus workflow-edit capability and a relevant node path, so the reachable attacker population is meaningfully smaller than the vendor-style impact score suggests.

Why not lower?

Dropping this to MEDIUM would understate the consequences once the prerequisites are met. n8n is an orchestration hub that routinely stores privileged credentials, so arbitrary host file read can become tenant-wide or environment-wide compromise with very little extra work.

05 · Compensating Control

What to do — in priority order.

Restrict workflow editing to trusted admins — Treat this as the primary choke point because the exploit dies without workflow create/edit rights. Review RBAC, remove editor rights from standard users and service identities, and complete that access reduction within 30 days.
Disable the Git node where not required — Add n8n-nodes-base.git to NODES_EXCLUDE on instances that do not genuinely need Git operations. This directly removes the vulnerable execution path and should be deployed within 30 days if patch rollout is not immediate.
Put n8n behind strong identity controls — Enforce SSO, MFA, IP allowlists/VPN, and session monitoring on all self-hosted n8n admin surfaces. This does not fix the bug, but it materially raises the bar for reaching the authenticated prerequisite and should be enforced within 30 days.
Run n8n with least OS privilege — Use a dedicated low-privilege service account, minimize mounted secrets, and keep filesystem permissions tight so arbitrary file read returns less useful material. This is blast-radius reduction, not remediation, and should be implemented within 30 days on high-value deployments.
Audit and rotate exposed secrets after suspected abuse — Because the exploit path is file read, assume .env, tokens, SSH keys, and integration credentials may have been copied if you find suspicious workflow changes. Prioritize rotation of secrets reachable by the n8n process within 30 days, faster if compromise indicators exist.

What doesn't work

A WAF is not the answer here; the decisive actions happen after login inside workflow configuration and backend node execution, where edge signatures have poor visibility.
Masking secrets in the UI does not help; the attack targets files readable by the process account, not just values rendered in the credential manager.
Blocking outbound Git traffic alone is incomplete; this bug's value is arbitrary local file read, so the dangerous data may already be on disk before any network pivot.

06 · Verification

Crowdsourced verification payload.

Run this on the target n8n host or inside the n8n container; non-root is fine as long as you can execute n8n --version or read the installed package.json. Example: bash check_cve_2026_44790.sh or bash check_cve_2026_44790.sh /usr/local/lib/node_modules/n8n/package.json.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check_cve_2026_44790.sh
# Detects whether the installed n8n version falls in the vulnerable ranges for CVE-2026-44790.
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

get_version() {
  local pkg_path="${1:-}"

  if [ -n "$pkg_path" ] && [ -f "$pkg_path" ]; then
    local v
    v=$(grep -E '"version"[[:space:]]*:' "$pkg_path" 2>/dev/null | head -n1 | sed -E 's/.*"version"[[:space:]]*:[[:space:]]*"([^"]+)".*/\1/')
    if [ -n "$v" ]; then
      echo "$v"
      return 0
    fi
  fi

  if command -v n8n >/dev/null 2>&1; then
    local v
    v=$(n8n --version 2>/dev/null | head -n1 | tr -d '\r')
    if [ -n "$v" ]; then
      echo "$v"
      return 0
    fi
  fi

  for p in \
    /usr/local/lib/node_modules/n8n/package.json \
    /opt/n8n/package.json \
    /home/node/.n8n/package.json \
    ./package.json; do
    if [ -f "$p" ]; then
      local v
      v=$(grep -E '"version"[[:space:]]*:' "$p" 2>/dev/null | head -n1 | sed -E 's/.*"version"[[:space:]]*:[[:space:]]*"([^"]+)".*/\1/')
      if [ -n "$v" ]; then
        echo "$v"
        return 0
      fi
    fi
  done

  return 1
}

normalize() {
  echo "$1" | tr -d '[:space:]' | sed 's/^v//' | sed 's/+.*$//'
}

main() {
  local raw_version
  if ! raw_version=$(get_version "${1:-}"); then
    echo "UNKNOWN - could not determine installed n8n version"
    exit 2
  fi

  local version
  version=$(normalize "$raw_version")
  local base="${version%%-*}"

  IFS='.' read -r major minor patch <<< "$base"

  if ! [[ "$major" =~ ^[0-9]+$ && "$minor" =~ ^[0-9]+$ && "$patch" =~ ^[0-9]+$ ]]; then
    echo "UNKNOWN - unrecognized version format: $raw_version"
    exit 2
  fi

  # Vulnerable ranges gathered from reviewed sources:
  #   1.x < 1.123.43
  #   2.0.0-rc.0 through 2.20.6
  #   2.21.0 through 2.22.0
  # Fixed:
  #   1.123.43+
  #   2.20.7+
  #   2.22.1+

  if [ "$major" -eq 0 ]; then
    echo "VULNERABLE - n8n version $raw_version"
    exit 1
  fi

  if [ "$major" -eq 1 ]; then
    if [ "$minor" -lt 123 ] || { [ "$minor" -eq 123 ] && [ "$patch" -lt 43 ]; }; then
      echo "VULNERABLE - n8n version $raw_version"
      exit 1
    else
      echo "PATCHED - n8n version $raw_version"
      exit 0
    fi
  fi

  if [ "$major" -eq 2 ]; then
    if [ "$minor" -lt 20 ]; then
      echo "VULNERABLE - n8n version $raw_version"
      exit 1
    elif [ "$minor" -eq 20 ]; then
      if [ "$patch" -lt 7 ]; then
        echo "VULNERABLE - n8n version $raw_version"
        exit 1
      else
        echo "PATCHED - n8n version $raw_version"
        exit 0
      fi
    elif [ "$minor" -eq 21 ]; then
      echo "VULNERABLE - n8n version $raw_version"
      exit 1
    elif [ "$minor" -eq 22 ]; then
      if [ "$patch" -lt 1 ]; then
        echo "VULNERABLE - n8n version $raw_version"
        exit 1
      else
        echo "PATCHED - n8n version $raw_version"
        exit 0
      fi
    else
      echo "PATCHED - n8n version $raw_version"
      exit 0
    fi
  fi

  if [ "$major" -gt 2 ]; then
    echo "PATCHED - n8n version $raw_version"
    exit 0
  fi

  echo "UNKNOWN - unable to classify n8n version $raw_version"
  exit 2
}

main "$@"

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, treat this as a HIGH priority on every self-hosted n8n estate that allows more than a tiny trusted admin set to edit workflows. Under the noisgate mitigation SLA, apply compensating controls within 30 days: strip workflow-editor rights to trusted admins only, disable the Git node where unused, and harden identity controls around n8n. Under the noisgate remediation SLA, move every affected instance to 1.123.43, 2.20.7, or 2.22.1 and finish patching within 180 days; there is no active-exploitation override here because I found no KEV listing or public exploitation evidence.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.