Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable web UI (AV:N), trivial flag injection (AC:L), requires authenticated workflow editor (PR:L), no user interaction, host-level file read escapes app scope (S:C) with full CIA impact.
Primary rating from Vendor (https://github.com/n8n-io/n8n).
CVSS VectorVendor: https://github.com/n8n-io/n8n
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
Impact
An authenticated user with permission to create or modify workflows could inject CLI flags on the Git node's Push operation allowing an attacker to read arbitrary files from the n8n server potentially leading to full compromise.
Patches
The issue has been fixed in n8n versions 1.123.43, 2.20.7, and 2.22.1. Users should upgrade to one of these versions or later to remediate the vulnerability.
Workarounds
If upgrading is not immediately possible, administrators should consider the following temporary mitigations:
- Limit workflow creation and editing permissions to fully trusted users only.
- Disable the Git node by adding
n8n-nodes-base.gitto theNODES_EXCLUDEenvironment variable.
These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
--- n8n has adopted CVSS 4.0 as primary score for all security advisories. CVSS 3.1 vector strings are provided for backwards compatibility.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
AnalysisAI
Argument injection in the n8n workflow automation platform's Git node allows authenticated users with workflow edit privileges to inject CLI flags into the Git Push operation, enabling arbitrary file read from the n8n server and potentially full host compromise. The flaw affects n8n versions prior to 1.123.43, 2.20.7, and 2.22.1, and is rated CVSS 9.4 (4.0) with no public exploit identified at time of analysis. EPSS is low at 0.04% (14th percentile), and the bug is classified under CWE-88 (Argument Injection).
Technical ContextAI
n8n is a Node.js-based, low-code workflow automation platform (npm package n8n) that ships built-in 'nodes' for integrating external services. The vulnerable component is the Git node (n8n-nodes-base.git), which invokes the git command line under the hood. CWE-88 (Improper Neutralization of Argument Delimiters) describes the root cause: user-controlled values passed to the Git Push operation are concatenated into the argv vector without proper separation, so a value beginning with - or -- is interpreted as a flag by git push. Because git supports options such as --upload-pack and --receive-pack that can execute helper programs, or features like core.sshCommand that read external files, attacker-controlled flags can be leveraged to read arbitrary files (and per the advisory, potentially escalate to full server compromise) under the n8n process identity.
RemediationAI
Vendor-released patches are available: upgrade to n8n 1.123.43, 2.20.7, or 2.22.1 (or any later release on those branches), as documented in the GitHub Security Advisory at https://github.com/n8n-io/n8n/security/advisories/GHSA-57g9-58c2-xjg3. If immediate upgrade is not possible, the vendor's documented workarounds are to disable the Git node entirely by adding n8n-nodes-base.git to the NODES_EXCLUDE environment variable (this breaks any existing workflows that rely on Git Push/Pull operations, so audit usage first), and to restrict workflow create/edit permissions strictly to fully trusted operator-level users, removing the editor role from any partially trusted accounts. Both mitigations are explicitly described as partial by the vendor and should be treated as temporary until the patched version is deployed.
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38484
GHSA-57g9-58c2-xjg3