CVE-2026-33724
Published: 25 March 2026
Summary
CVE-2026-33724 is a medium-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in N8N N8N. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-3 (Device Identification and Authentication) and SC-23 (Session Authenticity).
Deeper analysis
CVE-2026-33724 affects n8n, an open source workflow automation platform, in versions prior to 2.5.0. The vulnerability arises in the Source Control feature when explicitly configured to use SSH for Git operations. In this setup, the SSH command explicitly disables host key verification, enabling a man-in-the-middle (MITM) attack where a network adversary could intercept the connection between the n8n instance and the remote Git server.
A remote network attacker positioned between the n8n instance and the Git server can exploit this by presenting a fraudulent host key. Successful exploitation allows the attacker to inject malicious content into workflows or intercept repository data, leading to high confidentiality and integrity impacts without requiring privileges or user interaction. The CVSS v3.1 base score of 7.4 reflects network accessibility but high attack complexity (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N), and it maps to CWE-639 (Authorization Bypass Through User-Controlled Key).
The n8n security advisory (GHSA-43v7-fp2v-68f6) confirms the issue is fixed in version 2.5.0, recommending immediate upgrades to this or later versions. For temporary mitigations where upgrading is not feasible, administrators should disable the Source Control feature if not required or restrict network access to ensure communication occurs only over trusted paths; these are short-term measures and do not fully eliminate the risk.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-15954
Vulnerability details
n8n is an open source workflow automation platform. Prior to version 2.5.0, when the Source Control feature is configured to use SSH, the SSH command used for git operations explicitly disabled host key verification. A network attacker positioned between the…
more
n8n instance and the remote Git server could intercept the connection and present a fraudulent host key, potentially injecting malicious content into workflows or intercepting repository data. This issue only affects instances where the Source Control feature has been explicitly enabled and configured to use SSH (non-default). The issue has been fixed in n8n version 2.5.0. Users should upgrade to this version or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Disable the Source Control feature if it is not actively required, and/or restrict network access to ensure the n8n instance communicates with the Git server only over trusted, controlled network paths. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln in public-facing n8n enables network MITM (T1190) via disabled SSH host key verification (T1557), directly facilitating transmitted data manipulation to inject malicious workflow content (T1565.002).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires identification and authentication of remote devices such as the Git server before establishing SSH connections, directly mitigating fraudulent host keys presented in MITM attacks.
Mandates protection of communications session authenticity, preventing man-in-the-middle impersonation during SSH git operations by enforcing host verification.
Ensures confidentiality and integrity of information transmitted over SSH to the Git server, countering interception and malicious injection enabled by disabled host key verification.