Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN536
_____________________________________________________________________

DATE                : 21/05/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running n8n (npm) versions prior to
                          1.123.43, 2.22.1, 2.20.7.

=====================================================================
https://github.com/n8n-io/n8n/security/advisories/GHSA-wrwr-h859-xh2r
https://github.com/n8n-io/n8n/security/advisories/GHSA-c8xv-5998-g76h
https://github.com/n8n-io/n8n/security/advisories/GHSA-57g9-58c2-xjg3
https://github.com/n8n-io/n8n/security/advisories/GHSA-mhrx-qhrj-673w
https://github.com/n8n-io/n8n/security/advisories/GHSA-6h4j-wcr9-2vg7
_____________________________________________________________________


XML Node Prototype Pollution Patch Bypass
Critical
Jubke published GHSA-wrwr-h859-xh2r May 13, 2026

Package
n8n (npm)

Affected versions
< 1.123.43
< 2.22.1
< 2.20.7

Patched versions
>= 1.123.43
>= 2.22.1
>= 2.20.7

Description

Impact

An authenticated user with permission to create or modify workflows
could bypass the patch for GHSA-hqr4-h3xv-9m3r in the XML node. When
combined with other nodes, this could lead to RCE on the n8n host.

Patches

The issue has been fixed in n8n versions 1.123.43, 2.20.7, and 2.22.1.
Users should upgrade to one of these versions or later to remediate
the vulnerability.


Workarounds

If upgrading is not immediately possible, administrators should consider
the following temporary mitigations:

    Limit workflow creation and editing permissions to fully trusted users
only.
    Disable the XML node by adding n8n-nodes-base.xml to the
NODES_EXCLUDE environment variable.

These workarounds do not fully remediate the risk and should only be used
as short-term mitigation measures.

n8n has adopted CVSS 4.0 as primary score for all security advisories.
CVSS 3.1 vector strings are provided for backwards compatibility.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Severity
Critical
9.4/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements None
Privileges Required Low
User interaction None
Vulnerable System Impact Metrics
Confidentiality High
Integrity High
Availability High
Subsequent System Impact Metrics
Confidentiality High
Integrity High
Availability High
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CVE ID
CVE-2026-44791

Weaknesses
No CWEs

Credits

    @simonkoeck simonkoeck Reporter
_____________________________________________________________________

HTTP Request Node Pagination Prototype Pollution to RCE
Critical
Jubke published GHSA-c8xv-5998-g76h May 13, 2026

Package
n8n (npm)

Affected versions
< 1.123.43
< 2.22.1
< 2.20.7

Patched versions
>= 1.123.43
>= 2.22.1
>= 2.20.7

Description

Impact

An authenticated user with permission to create or modify workflows could
achieve global prototype pollution via an unvalidated pagination
parameter in the HTTP Request node. Combined with other techniques this
could lead to RCE on the instance.


Patches

The issue has been fixed in n8n versions 1.123.43, 2.20.7, and 2.22.1.
Users should upgrade to one of these versions or later to remediate
the vulnerability.

Workarounds

If upgrading is not immediately possible, administrators should
consider the following temporary mitigations:

    Limit workflow creation and editing permissions to fully trusted
users only.
    Disable the HTTP Request node by adding
n8n-nodes-base.httpRequest to the NODES_EXCLUDE environment variable.

These workarounds do not fully remediate the risk and should only
be used as short-term mitigation measures.

n8n has adopted CVSS 4.0 as primary score for all security
advisories. CVSS 3.1 vector strings are provided for backwards
compatibility.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Severity
Critical
9.4/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements None
Privileges Required Low
User interaction None
Vulnerable System Impact Metrics
Confidentiality High
Integrity High
Availability High
Subsequent System Impact Metrics
Confidentiality High
Integrity High
Availability High
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CVE ID
CVE-2026-44789

Weaknesses
Weakness CWE-1321

Credits

    @sm1ee sm1ee Reporter

_____________________________________________________________________


Arbitrary File Read via Git Node
Critical
Jubke published GHSA-57g9-58c2-xjg3 May 13, 2026

Package
n8n (npm)

Affected versions
< 1.123.43
< 2.22.1
< 2.20.7

Patched versions
>= 1.123.43
>= 2.22.1
>= 2.20.7

Description

Impact

An authenticated user with permission to create or modify workflows could
inject CLI flags on the Git node's Push operation allowing an attacker
to read arbitrary files from the n8n server potentially leading to full
compromise.


Patches

The issue has been fixed in n8n versions 1.123.43, 2.20.7, and 2.22.1.
Users should upgrade to one of these versions or later to remediate
the vulnerability.


Workarounds

If upgrading is not immediately possible, administrators should consider
the following temporary mitigations:

    Limit workflow creation and editing permissions to fully trusted
users only.
    Disable the Git node by adding n8n-nodes-base.git to the
NODES_EXCLUDE environment variable.

These workarounds do not fully remediate the risk and should only be
used as short-term mitigation measures.

n8n has adopted CVSS 4.0 as primary score for all security advisories.
CVSS 3.1 vector strings are provided for backwards compatibility.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Severity
Critical
9.4/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements None
Privileges Required Low
User interaction None
Vulnerable System Impact Metrics
Confidentiality High
Integrity High
Availability High
Subsequent System Impact Metrics
Confidentiality High
Integrity High
Availability High
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CVE ID
CVE-2026-44790

Weaknesses
Weakness CWE-88

Credits

    @simonkoeck simonkoeck Reporter


_____________________________________________________________________

Source Control Pull SQL Injection
High
Jubke published GHSA-mhrx-qhrj-673w May 13, 2026

Package
n8n (npm)

Affected versions
< 1.123.43
< 2.21.1
< 2.20.7

Patched versions
>= 1.123.43
>= 2.21.1
>= 2.20.7

Description

Impact

An attacker with write access to the git repository connected to an n8n
Source Control configuration could commit a malicious Data Table JSON
file containing a crafted column name. When an administrator performed
a Source Control Pull, n8n imported the file and could lead to SQL
injection on the internal PostgreSQL instance.

Exploitation requires all of the following conditions:

    The n8n instance uses PostgreSQL as its database backend.
    The Source Control feature is enabled and connected to a repository
the attacker can write to.
    An administrator triggers a Source Control Pull.

Patches

The issue has been fixed in n8n version 1.123.43, 2.20.7, and 2.21.1.
Users should upgrade to this version or later to remediate the
vulnerability.


Workarounds

If upgrading is not immediately possible, administrators should
consider the following temporary mitigations:

    Disable the Source Control feature if it is not actively required.
    Restrict write access to the connected git repository to fully
trusted users only.
    Avoid pulling from repositories that may have been modified by
untrusted parties.

These workarounds do not fully remediate the risk and should only
be used as short-term mitigation measures.

Severity
High
8.9/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements Present
Privileges Required None
User interaction Active
Vulnerable System Impact Metrics
Confidentiality High
Integrity High
Availability High
Subsequent System Impact Metrics
Confidentiality High
Integrity High
Availability High
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CVE ID
CVE-2026-44792

Weaknesses
No CWEs

Credits

    @sm1ee sm1ee Reporter

_____________________________________________________________________

Cross-user Authorization Bypass in Dynamic Credential OAuth Endpoints
High
Jubke published GHSA-6h4j-wcr9-2vg7 May 13, 2026

Package
n8n (npm)

Affected versions
< 1.123.43
< 2.21.1
< 2.20.7

Patched versions
>= 1.123.43
>= 2.21.1
>= 2.20.7

Description

Impact

The OAuth1 and OAuth2 credential reconnect endpoints authorized access
using credential:read rather than credential:update. An authenticated
user with read-only access to a shared credential could initiate an
OAuth reconnect flow and overwrite the stored token material for that
credential with tokens bound to an external account they control.
Workflows relying on the affected credential would subsequently execute
under the attacker's OAuth identity, enabling data exfiltration to
attacker-controlled external services and persistent takeover of
shared integrations.

This issue affects instances where credentials are shared with other
users or across projects.


Patches

The issue has been fixed in n8n versions 1.123.43, 2.20.7, and 2.21.1.
Users should upgrade to one of these versions or later to remediate
the vulnerability.


Workarounds

If upgrading is not immediately possible, administrators should consider
the following temporary mitigations:

    Restrict credential sharing to fully trusted users only.
    Audit shared credentials for unexpected OAuth token changes and
revoke any tokens that may have been replaced.

These workarounds do not fully remediate the risk and should only be
used as short-term mitigation measures.

n8n has adopted CVSS 4.0 as primary score for all security
advisories. CVSS 3.1 vector strings are provided for backwards
compatibility.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

Severity
High
8.3/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements None
Privileges Required Low
User interaction None
Vulnerable System Impact Metrics
Confidentiality None
Integrity High
Availability None
Subsequent System Impact Metrics
Confidentiality None
Integrity High
Availability None
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N

CVE ID
CVE-2026-45732

Weaknesses
Weakness CWE-639

Credits

    @nkoorty nkoorty Reporter
    @jjjutla jjjutla Reporter



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================