CVE-2026-44790: n8n Has an Arbitrary File Read via Git Node

May 14, 2026

An authenticated user with permission to create or modify workflows could inject CLI flags on the Git node’s Push operation allowing an attacker to read arbitrary files from the n8n server potentially leading to full compromise.

References

github.com/advisories/GHSA-57g9-58c2-xjg3
github.com/n8n-io/n8n/security/advisories/GHSA-57g9-58c2-xjg3
nvd.nist.gov/vuln/detail/CVE-2026-44790

Code Behaviors & Features

Detect and mitigate CVE-2026-44790 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →