Main Vulnerability Database Vulnerabilities #VU131360

Improper Neutralization of Argument Delimiters in a Command in n8n - CVE-2026-44790

Published: May 13, 2026

Vulnerability identifier: #VU131360

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-44790

CWE-ID: CWE-88

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: n8n

Affected software:
n8n

Detailed vulnerability description

The vulnerability allows a remote user to read arbitrary files from the n8n server, potentially leading to full compromise.

The vulnerability exists due to improper neutralization of argument delimiters in the Git node Push operation when processing injected CLI flags. A remote user can inject CLI flags through a workflow to read arbitrary files from the n8n server, potentially leading to full compromise.

Exploitation requires permission to create or modify workflows.

How to mitigate CVE-2026-44790

Install security update from vendor's website.

Sources

https://github.com/n8n-io/n8n/security/advisories/GHSA-57g9-58c2-xjg3

Improper Neutralization of Argument Delimiters in a Command in n8n - CVE-2026-44790

Detailed vulnerability description

How to mitigate CVE-2026-44790

Sources

Please verify you're human