VulnerableCode Package Details - pkg:npm/n8n@2.22.1

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-7fn6-gvxs-wygq	n8n: HTTP Request Node Pagination Prototype Pollution to RCE ## Impact An authenticated user with permission to create or modify workflows could achieve global prototype pollution via an unvalidated pagination parameter in the HTTP Request node. Combined with other techniques this could lead to RCE on the instance. ## Patches The issue has been fixed in n8n versions 1.123.43, 2.20.7, and 2.22.1. Users should upgrade to one of these versions or later to remediate the vulnerability. ## Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Limit workflow creation and editing permissions to fully trusted users only. - Disable the HTTP Request node by adding `n8n-nodes-base.httpRequest` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures. --- n8n has adopted CVSS 4.0 as primary score for all security advisories. CVSS 3.1 vector strings are provided for backwards compatibility. CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H	CVE-2026-44789 GHSA-c8xv-5998-g76h
VCID-hx1p-thnm-4ud4	n8n Has an Arbitrary File Read via Git Node ## Impact An authenticated user with permission to create or modify workflows could inject CLI flags on the Git node's Push operation allowing an attacker to read arbitrary files from the n8n server potentially leading to full compromise. ## Patches The issue has been fixed in n8n versions 1.123.43, 2.20.7, and 2.22.1. Users should upgrade to one of these versions or later to remediate the vulnerability. ## Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Limit workflow creation and editing permissions to fully trusted users only. - Disable the Git node by adding `n8n-nodes-base.git` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures. --- n8n has adopted CVSS 4.0 as primary score for all security advisories. CVSS 3.1 vector strings are provided for backwards compatibility. CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H	CVE-2026-44790 GHSA-57g9-58c2-xjg3
VCID-n38u-498z-gke2	n8n Has an XML Node Prototype Pollution Patch Bypass ## Impact An authenticated user with permission to create or modify workflows could bypass the patch for GHSA-hqr4-h3xv-9m3r in the XML node. When combined with other nodes, this could lead to RCE on the n8n host. ## Patches The issue has been fixed in n8n versions 1.123.43, 2.20.7, and 2.22.1. Users should upgrade to one of these versions or later to remediate the vulnerability. ## Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Limit workflow creation and editing permissions to fully trusted users only. - Disable the XML node by adding `n8n-nodes-base.xml` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures. --- n8n has adopted CVSS 4.0 as primary score for all security advisories. CVSS 3.1 vector strings are provided for backwards compatibility. CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H	CVE-2026-44791 GHSA-wrwr-h859-xh2r

Vulnerability

Summary

Aliases

VCID-7fn6-gvxs-wygq

n8n: HTTP Request Node Pagination Prototype Pollution to RCE ## Impact An authenticated user with permission to create or modify workflows could achieve global prototype pollution via an unvalidated pagination parameter in the HTTP Request node. Combined with other techniques this could lead to RCE on the instance. ## Patches The issue has been fixed in n8n versions 1.123.43, 2.20.7, and 2.22.1. Users should upgrade to one of these versions or later to remediate the vulnerability. ## Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Limit workflow creation and editing permissions to fully trusted users only. - Disable the HTTP Request node by adding `n8n-nodes-base.httpRequest` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures. --- n8n has adopted CVSS 4.0 as primary score for all security advisories. CVSS 3.1 vector strings are provided for backwards compatibility. CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVE-2026-44789
GHSA-c8xv-5998-g76h

VCID-hx1p-thnm-4ud4

n8n Has an Arbitrary File Read via Git Node ## Impact An authenticated user with permission to create or modify workflows could inject CLI flags on the Git node's Push operation allowing an attacker to read arbitrary files from the n8n server potentially leading to full compromise. ## Patches The issue has been fixed in n8n versions 1.123.43, 2.20.7, and 2.22.1. Users should upgrade to one of these versions or later to remediate the vulnerability. ## Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Limit workflow creation and editing permissions to fully trusted users only. - Disable the Git node by adding `n8n-nodes-base.git` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures. --- n8n has adopted CVSS 4.0 as primary score for all security advisories. CVSS 3.1 vector strings are provided for backwards compatibility. CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVE-2026-44790
GHSA-57g9-58c2-xjg3

VCID-n38u-498z-gke2

n8n Has an XML Node Prototype Pollution Patch Bypass ## Impact An authenticated user with permission to create or modify workflows could bypass the patch for GHSA-hqr4-h3xv-9m3r in the XML node. When combined with other nodes, this could lead to RCE on the n8n host. ## Patches The issue has been fixed in n8n versions 1.123.43, 2.20.7, and 2.22.1. Users should upgrade to one of these versions or later to remediate the vulnerability. ## Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Limit workflow creation and editing permissions to fully trusted users only. - Disable the XML node by adding `n8n-nodes-base.xml` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures. --- n8n has adopted CVSS 4.0 as primary score for all security advisories. CVSS 3.1 vector strings are provided for backwards compatibility. CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVE-2026-44791
GHSA-wrwr-h859-xh2r

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-15T09:16:48.163324+00:00	GitLab Importer	Fixing	VCID-7fn6-gvxs-wygq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/n8n/CVE-2026-44789.yml	38.6.0
2026-06-15T09:16:47.491462+00:00	GitLab Importer	Fixing	VCID-hx1p-thnm-4ud4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/n8n/CVE-2026-44790.yml	38.6.0
2026-06-15T09:16:45.836496+00:00	GitLab Importer	Fixing	VCID-n38u-498z-gke2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/n8n/CVE-2026-44791.yml	38.6.0
2026-06-13T06:30:22.499307+00:00	GHSA Importer	Fixing	VCID-n38u-498z-gke2	https://github.com/advisories/GHSA-wrwr-h859-xh2r	38.6.0
2026-06-13T06:30:22.467317+00:00	GHSA Importer	Fixing	VCID-hx1p-thnm-4ud4	https://github.com/advisories/GHSA-57g9-58c2-xjg3	38.6.0
2026-06-13T06:30:22.353580+00:00	GHSA Importer	Fixing	VCID-7fn6-gvxs-wygq	https://github.com/advisories/GHSA-c8xv-5998-g76h	38.6.0
2026-06-12T07:51:52.263017+00:00	GithubOSV Importer	Fixing	VCID-7fn6-gvxs-wygq	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-c8xv-5998-g76h/GHSA-c8xv-5998-g76h.json	38.6.0
2026-06-12T07:51:05.524760+00:00	GithubOSV Importer	Fixing	VCID-hx1p-thnm-4ud4	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-57g9-58c2-xjg3/GHSA-57g9-58c2-xjg3.json	38.6.0
2026-06-12T07:51:00.383014+00:00	GithubOSV Importer	Fixing	VCID-n38u-498z-gke2	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-wrwr-h859-xh2r/GHSA-wrwr-h859-xh2r.json	38.6.0