CVE-2026-44789
Prototype Pollution vulnerability in n8n (npm)

Prototype Pollution No known exploit

What is CVE-2026-44789 About?

This vulnerability allows an authenticated user to achieve global prototype pollution through an unvalidated pagination parameter. Successful exploitation can lead to Remote Code Execution (RCE) when combined with other techniques, making it a high-impact flaw that is relatively easy to exploit by an authenticated attacker.

Affected Software

  • n8n
    • <1.123.43
    • >=2.21.0, <2.22.1
    • >=2.0.0-rc.0, <2.20.7

Technical Details

An authenticated user with permissions to create or modify workflows can exploit an unvalidated pagination parameter within the HTTP Request node. By manipulating this parameter, the attacker can introduce prototype pollution globally, which means they can inject properties into fundamental JavaScript object prototypes. This mechanism, while not directly leading to RCE, can be chained with other vulnerabilities or techniques in the application's codebase to ultimately achieve Remote Code Execution on the n8n instance, allowing arbitrary code execution.

What is the Impact of CVE-2026-44789?

Successful exploitation may allow attackers to execute arbitrary code on the server, gain full control over the application, and potentially compromise the underlying system.

What is the Exploitability of CVE-2026-44789?

Exploitation of this vulnerability requires an authenticated user account with permissions to create or modify workflows. The attack is remote, as it involves manipulating parameters within HTTP requests. It is of medium complexity, as it requires crafting specific input to trigger prototype pollution and then chaining it with other techniques to achieve RCE. No specific user interaction beyond creating/modifying workflows is required from the victim, but certain environmental conditions or additional vulnerabilities might be necessary for full RCE.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2026-44789?

Available Upgrade Options

  • n8n
    • <1.123.43 → Upgrade to 1.123.43
  • n8n
    • >=2.0.0-rc.0, <2.20.7 → Upgrade to 2.20.7
  • n8n
    • >=2.21.0, <2.22.1 → Upgrade to 2.22.1

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2026-44789?

Similar Vulnerabilities: CVE-2020-28283 , CVE-2022-26279 , CVE-2020-15228 , CVE-2020-7798 , CVE-2021-23467

All Rights reserved 2025
Privacy Policy