A critical security vulnerability has been discovered in n8n, the popular workflow automation tool, potentially allowing authenticated attackers to execute arbitrary code on the host server.
Identified as CVE-2026-21877, this high-severity vulnerability affects both self-hosted and n8n Cloud instances, posing a significant risk to organizations relying on the platform for business process automation.
The vulnerability has been patched in version 1.121.3, and administrators are urged to upgrade immediately.
Vulnerability Overview
The vulnerability is classified as an Authenticated Remote Code Execution (RCE) vulnerability. It stems from improper handling of user inputs within specific workflow nodes, particularly involving the Git node functionality.
Under certain conditions, an attacker with low-level privileges (authenticated access) can manipulate these inputs to inject and execute untrusted code.
Because n8n often integrates with sensitive internal APIs, databases, and third-party services, a successful exploit could lead to a complete compromise of the affected instance.
This would allow attackers to steal credentials, pivot to other parts of the internal network, or manipulate automated workflows for malicious purposes.
Key Vulnerability Metrics:
- CVE ID: CVE-2026-21877.
- CVSS Score: 9.9 (Critical).
- Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H.
- Impact: Confidentiality (High), Integrity (High), Availability (High).
The CVSS score highlights the severity: the attack can be launched over the network (AV:N) with low complexity (AC:L), requires no user interaction (UI:N), and notably, has a changed scope (S:C), meaning the compromise can extend beyond the n8n application to the underlying host system.
Technical Details and Impact
The issue was reported by security researcher theolelasseux, who identified that the vulnerability leverages weakness CWE-434 (Unrestricted Upload of File with Dangerous Type) alongside command injection vectors.
In standard deployment scenarios, n8n vulnerability allows users to create complex workflows using “nodes.”
The vulnerability specifically targets how the platform processes certain authenticated requests. If an organization grants access to untrusted users or if a legitimate user account is compromised threat actors could weaponize the Git node to execute shell commands.
“The ability for an authenticated user to cause untrusted code execution presents a critical risk,” the advisory notes. “This could result in full compromise of the affected instance.”
The n8n team has released a patch to address this vulnerability. All users are strongly advised to update to version 1.121.3 or later immediately. This update sanitizes the vulnerable inputs and restricts the execution capabilities of the affected nodes.
- Upgrade: Update n8n instances to v1.121.3.
- Restrict Access: If an immediate upgrade is not possible, administrators should limit access to the n8n instance to trusted users only.
- Disable Features: As a temporary workaround, turning off the Git node functionality can reduce the attack surface.
Organizations using n8n Cloud are also affected, though managed instances are typically patched by the provider. Self-hosted users, especially those exposing their instances to the internet, remain the most vulnerable until the patch is applied.
| Metric | Details |
|---|---|
| CVE ID | CVE-2026-21877 |
| Severity | Critical (9.9) |
| Affected Versions | Pre-1.121.3 |
| Patched Version | 1.121.3 |
| Reporter | theolelasseux |
Administrators are encouraged to review their instance logs for any suspicious activity involving the Git node or unexpected command executions prior to patching.
n8n is a “fair-code” workflow automation tool that allows users to interconnect independent services via APIs. It is widely used for technical process automation, data synchronization, and light backend development.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.