GHSA-43v7-fp2v-68f6: n8n's Source Control SSH Configuration Uses StrictHostKeyChecking=no
Summary
n8n's Source Control feature, when configured to use SSH (a secure network protocol), disabled host key verification, meaning it didn't confirm the identity of the Git server it was connecting to. An attacker on the network could trick n8n into connecting to a fake server and inject malicious code into workflows or steal repository data.
Solution / Mitigation
The issue has been fixed in n8n version 2.5.0. Users should upgrade to this version or later to remediate the vulnerability. If upgrading is not immediately possible, administrators can temporarily disable the Source Control feature if not actively required, or restrict network access to ensure the n8n instance communicates with the Git server only over trusted, controlled network paths. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
Vulnerability Details
EPSS: 0.0%
Yes
March 25, 2026
Classification
Taxonomy References
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-43v7-fp2v-68f6
First tracked: March 25, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 85%