CVE-2026-44789: n8n: HTTP Request Node Pagination Prototype Pollution to RCE

May 14, 2026

An authenticated user with permission to create or modify workflows could achieve global prototype pollution via an unvalidated pagination parameter in the HTTP Request node. Combined with other techniques this could lead to RCE on the instance.

References

github.com/advisories/GHSA-c8xv-5998-g76h
github.com/n8n-io/n8n/security/advisories/GHSA-c8xv-5998-g76h
nvd.nist.gov/vuln/detail/CVE-2026-44789

Code Behaviors & Features

Detect and mitigate CVE-2026-44789 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →