{"data":{"id":"961556a7-6eac-43a3-a839-d39ec5457aa4","title":"GHSA-c8xv-5998-g76h: n8n: HTTP Request Node Pagination Prototype Pollution to RCE","summary":"An authenticated user in n8n (a workflow automation tool) could exploit an unvalidated pagination parameter in the HTTP Request node to achieve prototype pollution (a type of attack that corrupts an object used by many parts of a program), potentially leading to RCE (remote code execution, where an attacker can run commands on a system they don't control). This vulnerability requires the attacker to have permission to create or modify workflows.","solution":"The issue has been fixed in n8n versions 1.123.43, 2.20.7, and 2.22.1. Users should upgrade to one of these versions or later. If upgrading is not immediately possible, administrators can temporarily: (1) limit workflow creation and editing permissions to fully trusted users only, or (2) disable the HTTP Request node by adding `n8n-nodes-base.httpRequest` to the `NODES_EXCLUDE` environment variable. The source notes these workarounds do not fully remediate the risk and should only be short-term measures.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-c8xv-5998-g76h","publishedAt":"2026-05-14T16:17:23.000Z","cveId":"CVE-2026-44789","cweIds":null,"cvssScore":null,"cvssSeverity":"critical","severity":"critical","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":["n8n@>= 2.0.0-rc.0, < 2.20.7 (fixed: 2.20.7)","n8n@>= 2.21.0, < 2.22.1 (fixed: 2.22.1)","n8n@< 1.123.43 (fixed: 1.123.43)"],"affectedVendors":[],"affectedVendorsRaw":["n8n"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-05-14T16:17:23.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity","availability"],"aiComponentTargeted":"agent","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}