CVE-2026-33724: n8n's Source Control SSH Configuration Uses StrictHostKeyChecking=no

March 25, 2026

When the Source Control feature is configured to use SSH, the SSH command used for git operations explicitly disabled host key verification. A network attacker positioned between the n8n instance and the remote Git server could intercept the connection and present a fraudulent host key, potentially injecting malicious content into workflows or intercepting repository data.

This issue only affects instances where the Source Control feature has been explicitly enabled and configured to use SSH (non-default).

References

github.com/advisories/GHSA-43v7-fp2v-68f6
github.com/n8n-io/n8n
github.com/n8n-io/n8n/security/advisories/GHSA-43v7-fp2v-68f6
nvd.nist.gov/vuln/detail/CVE-2026-33724

Code Behaviors & Features

Detect and mitigate CVE-2026-33724 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →