Cyber Resilience

CVE-2026-33724

Medium

Published: 25 March 2026

Published
25 March 2026
Modified
27 March 2026
KEV Added
Patch
CVSS Score v4 6.3 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0002 4.4th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33724 is a medium-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in N8N N8N. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-3 (Device Identification and Authentication) and SC-23 (Session Authenticity).

Deeper analysis

CVE-2026-33724 affects n8n, an open source workflow automation platform, in versions prior to 2.5.0. The vulnerability arises in the Source Control feature when explicitly configured to use SSH for Git operations. In this setup, the SSH command explicitly disables host key verification, enabling a man-in-the-middle (MITM) attack where a network adversary could intercept the connection between the n8n instance and the remote Git server.

A remote network attacker positioned between the n8n instance and the Git server can exploit this by presenting a fraudulent host key. Successful exploitation allows the attacker to inject malicious content into workflows or intercept repository data, leading to high confidentiality and integrity impacts without requiring privileges or user interaction. The CVSS v3.1 base score of 7.4 reflects network accessibility but high attack complexity (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N), and it maps to CWE-639 (Authorization Bypass Through User-Controlled Key).

The n8n security advisory (GHSA-43v7-fp2v-68f6) confirms the issue is fixed in version 2.5.0, recommending immediate upgrades to this or later versions. For temporary mitigations where upgrading is not feasible, administrators should disable the Source Control feature if not required or restrict network access to ensure communication occurs only over trusted paths; these are short-term measures and do not fully eliminate the risk.

EU & UK References

Vulnerability details

n8n is an open source workflow automation platform. Prior to version 2.5.0, when the Source Control feature is configured to use SSH, the SSH command used for git operations explicitly disabled host key verification. A network attacker positioned between the…

more

n8n instance and the remote Git server could intercept the connection and present a fraudulent host key, potentially injecting malicious content into workflows or intercepting repository data. This issue only affects instances where the Source Control feature has been explicitly enabled and configured to use SSH (non-default). The issue has been fixed in n8n version 2.5.0. Users should upgrade to this version or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Disable the Source Control feature if it is not actively required, and/or restrict network access to ensure the n8n instance communicates with the Git server only over trusted, controlled network paths. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1557 Adversary-in-the-Middle Credential Access
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.
T1565.002 Transmitted Data Manipulation Impact
Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Vuln in public-facing n8n enables network MITM (T1190) via disabled SSH host key verification (T1557), directly facilitating transmitted data manipulation to inject malicious workflow content (T1565.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-21877Same product: N8N N8N
CVE-2026-25055Same product: N8N N8N
CVE-2025-68613Same product: N8N N8N
CVE-2026-1470Same product: N8N N8N
CVE-2026-42232Same product: N8N N8N
CVE-2025-62726Same product: N8N N8N
CVE-2026-27577Same product: N8N N8N
CVE-2026-27498Same product: N8N N8N
CVE-2026-42231Same product: N8N N8N
CVE-2026-27493Same product: N8N N8N

Affected Assets

n8n
n8n
≤ 2.5.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires identification and authentication of remote devices such as the Git server before establishing SSH connections, directly mitigating fraudulent host keys presented in MITM attacks.

prevent

Mandates protection of communications session authenticity, preventing man-in-the-middle impersonation during SSH git operations by enforcing host verification.

prevent

Ensures confidentiality and integrity of information transmitted over SSH to the Git server, countering interception and malicious injection enabled by disabled host key verification.

References