Critical RCE and security-bypass vulnerabilities in n8n workflow automation platform
Researchers reported critical vulnerabilities in the n8n low-code workflow automation platform that can enable host-level compromise. The issues include CVE-2026-1470 (CVSS 9.9) and CVE-2026-0863 (CVSS 8.5), described as allowing attackers to bypass security controls, achieve arbitrary code execution, and potentially obtain full control of n8n services, with downstream exposure of credentials, API keys, and other sensitive data. Impact spans cloud deployments as well as self-hosted instances that have not been patched.
Given n8n’s common use to integrate SaaS services and increasingly to orchestrate LLM-enabled business workflows, successful exploitation could provide broad access to connected systems and secrets stored in workflows. Coverage also noted the disclosures follow an earlier, separate critical n8n issue reported in late 2025, reinforcing the need for tighter vulnerability management around automation/orchestration tooling. Organizations were urged to upgrade to patched versions and review hardening controls for n8n deployments, particularly where the platform has access to high-privilege tokens and production integrations.
Timeline
Jan 30, 2026
TechTarget urges immediate patching of critical and high-severity flaws
TechTarget published a news brief advising organizations to patch critical and high-severity vulnerabilities, reflecting public reporting and response activity around serious disclosed flaws. The specific vulnerabilities are not detailed in the provided content.
Jan 29, 2026
CSO Online highlights critical RCE bugs affecting the n8n platform
CSO Online published a roundup item highlighting a story about critical remote code execution vulnerabilities in the n8n automation platform that could enable host-level compromise. The reference indicates the issue was publicly reported by January 29, 2026.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Critical RCE Vulnerability in n8n Workflow Automation Platform (CVE-2026-21877)
A critical remote code execution (RCE) vulnerability, identified as CVE-2026-21877 and rated CVSS 10.0, was disclosed in the open-source workflow automation platform n8n. The flaw allows authenticated users to execute arbitrary code on affected instances, potentially leading to full system compromise. Both self-hosted and n8n Cloud deployments are impacted, specifically versions from 0.123.0 up to but not including 1.121.3. The vulnerability was discovered by security researcher Théo Lelasseux and has been addressed in version 1.121.3, released in November 2025. Administrators are strongly advised to upgrade immediately or, if patching is not possible, to disable the Git node and restrict access for untrusted users to mitigate risk. The disclosure follows a series of critical vulnerabilities in n8n, highlighting ongoing security challenges for the platform. The Canadian Centre for Cyber Security and other sources have issued advisories urging prompt action to apply the necessary updates. The vulnerability underscores the importance of timely patch management and access control for workflow automation tools, especially those exposed to untrusted users or the internet.
1 months ago
Critical n8n Workflow Automation Platform Vulnerabilities Enable Remote Code Execution
Multiple critical vulnerabilities have been disclosed in the open-source workflow automation platform n8n, exposing both self-hosted and cloud deployments to severe security risks. The most severe flaw, tracked as CVE-2026-21877, allows authenticated attackers to execute arbitrary code on affected instances, potentially granting full control over the system. This vulnerability impacts a wide range of n8n installations, and while patches have been released, unpatched systems remain at risk. Another critical flaw, CVE-2026-21858, has also been highlighted, with reports indicating that over 100,000 servers could be exposed due to the public release of exploit code. Security researchers have emphasized the urgency of applying available patches to mitigate these threats, as the public availability of exploits significantly increases the likelihood of widespread attacks. Organizations using n8n are strongly advised to update their deployments immediately and review their exposure, especially if instances are accessible from the internet. The vulnerabilities underscore the importance of timely patch management and monitoring for signs of compromise in automation and integration platforms.
1 months ago
Critical Remote Code Execution Vulnerabilities in n8n Workflow Automation Platform
A critical vulnerability, CVE-2025-68613, has been discovered in the n8n open-source workflow automation platform, allowing authenticated users with workflow creation or editing permissions to execute arbitrary system commands on the underlying server. This flaw, rated 9.9 on the CVSS scale, stems from improper sandboxing of JavaScript expressions within workflow definitions, enabling attackers to escape restrictions and gain system-level access. The vulnerability does not require administrative privileges, making it a significant risk in environments with multiple users or weak access controls, and could lead to full system compromise, data exfiltration, workflow sabotage, and lateral movement. Another related vulnerability, CVE-2025-68668, also enables sandbox escape in n8n, turning workflows into potential attack vectors. Both vulnerabilities highlight the urgent need for organizations using n8n to review user permissions, apply available patches, and implement strong access controls to mitigate the risk of exploitation. While there is no current evidence of active exploitation, the ease of attack and the platform's popularity make immediate remediation essential.
1 months ago