Critical RCE Vulnerability in n8n Workflow Automation Platform (CVE-2026-21877)
A critical remote code execution (RCE) vulnerability, identified as CVE-2026-21877 and rated CVSS 10.0, was disclosed in the open-source workflow automation platform n8n. The flaw allows authenticated users to execute arbitrary code on affected instances, potentially leading to full system compromise. Both self-hosted and n8n Cloud deployments are impacted, specifically versions from 0.123.0 up to but not including 1.121.3. The vulnerability was discovered by security researcher Théo Lelasseux and has been addressed in version 1.121.3, released in November 2025. Administrators are strongly advised to upgrade immediately or, if patching is not possible, to disable the Git node and restrict access for untrusted users to mitigate risk.
The disclosure follows a series of critical vulnerabilities in n8n, highlighting ongoing security challenges for the platform. The Canadian Centre for Cyber Security and other sources have issued advisories urging prompt action to apply the necessary updates. The vulnerability underscores the importance of timely patch management and access control for workflow automation tools, especially those exposed to untrusted users or the internet.
Timeline
Jan 7, 2026
Canadian Centre for Cyber Security issues advisory on n8n flaw
On 2026-01-07, the Canadian Centre for Cyber Security published advisory AV26-004 warning about CVE-2026-21877 and urging administrators to review n8n guidance and apply updates. The advisory described the issue as a critical remote code execution vulnerability via arbitrary file write.
Jan 6, 2026
n8n publicly discloses CVE-2026-21877 and urges patching
On 2026-01-06, n8n disclosed CVE-2026-21877 as a maximum-severity vulnerability and advised users to upgrade to 1.121.3 or later. The company also recommended mitigations such as disabling the Git node and restricting access for untrusted users if immediate patching was not possible.
Nov 1, 2025
n8n releases version 1.121.3 fixing critical RCE flaw
n8n released version 1.121.3 in November 2025 to fix CVE-2026-21877, a critical arbitrary file write issue that can lead to authenticated remote code execution. The flaw affects versions 0.123.0 up to, but not including, 1.121.3 across self-hosted deployments and n8n Cloud.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Affected Products
Sources
Related Stories
Critical Remote Code Execution Vulnerability in n8n Workflow Automation Platform
A critical remote code execution vulnerability, tracked as CVE-2026-21877, has been identified in the n8n workflow automation platform. The flaw, rated CVSS 10.0, allows authenticated users to execute arbitrary code on affected n8n instances, posing a significant risk to environments where n8n is used to automate workflows with access to sensitive data, internal systems, and credentials. The vulnerability impacts n8n versions from 0.123.0 up to but not including 1.121.3, affecting both self-hosted and managed deployments. Exploitation requires authenticated access, and the vulnerability is linked to unsafe handling that can result in the execution of untrusted code. The issue has been addressed in n8n version 1.121.3 and later, and users are strongly advised to upgrade immediately to mitigate the risk. Additional recommendations include restricting workflow modification access to trusted administrators, blocking high-risk nodes at runtime, and reviewing audit logs for suspicious activity prior to patching. No public exploit details or proof-of-concept have been released as of the latest advisories. Organizations using n8n should prioritize patching and implement hardening measures to prevent potential compromise of their automation infrastructure.
1 months agoCritical Remote Code Execution Vulnerability in n8n Workflow Automation Platform
A critical vulnerability, tracked as CVE-2025-68613, was discovered in the n8n workflow automation platform, allowing authenticated users to execute arbitrary code on affected instances. The flaw, which impacts versions 0.211.0 up to but not including 1.120.4, arises from insufficient isolation of user-supplied expressions during workflow configuration, potentially leading to full system compromise, unauthorized data access, and modification of workflows. The vulnerability has a CVSS score of 9.9, and over 100,000 potentially exposed instances have been identified globally, with the highest concentrations in the U.S., Germany, France, Brazil, and Singapore. Security advisories urge immediate patching to versions 1.120.4, 1.121.1, or 1.122.0 to mitigate the risk. For organizations unable to patch immediately, it is recommended to restrict workflow creation and editing permissions to trusted users and to deploy n8n in a hardened environment with limited operating system privileges and network access. The Canadian Centre for Cyber Security and other authorities have issued alerts emphasizing the criticality of this vulnerability and the urgent need for remediation.
1 months ago
Critical RCE and security-bypass vulnerabilities in n8n workflow automation platform
Researchers reported **critical vulnerabilities in the n8n low-code workflow automation platform** that can enable **host-level compromise**. The issues include **CVE-2026-1470 (CVSS 9.9)** and **CVE-2026-0863 (CVSS 8.5)**, described as allowing attackers to **bypass security controls**, achieve **arbitrary code execution**, and potentially obtain **full control of n8n services**, with downstream exposure of **credentials, API keys, and other sensitive data**. Impact spans **cloud deployments** as well as **self-hosted instances** that have not been patched. Given n8n’s common use to integrate SaaS services and increasingly to orchestrate **LLM-enabled business workflows**, successful exploitation could provide broad access to connected systems and secrets stored in workflows. Coverage also noted the disclosures follow an earlier, separate critical n8n issue reported in late 2025, reinforcing the need for tighter vulnerability management around automation/orchestration tooling. Organizations were urged to **upgrade to patched versions** and review hardening controls for n8n deployments, particularly where the platform has access to high-privilege tokens and production integrations.
1 months ago