CVE-2026-21877

Critical

Published: 08 January 2026

Published

08 January 2026

Modified

20 January 2026

KEV Added

—

Patch

—

CVSS Score 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.1414 94.4th percentile

Risk Priority 28 60% EPSS · 20% KEV · 20% CVSS

Description

n8n is an open source workflow automation platform. In versions 0.121.2 and below, an authenticated attacker may be able to execute malicious code using the n8n service. This could result in full compromise and can impact both self-hosted and n8n…

Cloud instances. This issue is fixed in version 1.121.3. Administrators can reduce exposure by disabling the Git node and limiting access for untrusted users, but upgrading to the latest version is recommended.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates CVE-2026-21877 by requiring timely remediation of the specific code execution flaw through patching to version 1.121.3.

CM-7 Least Functionality good match

prevent

Reduces exposure to the vulnerability by disabling unnecessary features like the Git node, as recommended in the advisory.

SI-10 Information Input Validation good match

prevent

Prevents code injection attacks (CWE-94) underlying CVE-2026-21877 by validating inputs to the n8n service for malicious code.

Security SummaryAI

CVE-2026-21877 is a critical code execution vulnerability (CWE-94: Improper Control of Generation of Code, CWE-434: Unrestricted Upload of File with Dangerous Type) affecting n8n, an open source workflow automation platform. Versions 0.121.2 and prior are vulnerable, allowing an authenticated attacker to execute malicious code through the n8n service. The issue impacts both self-hosted instances and n8n Cloud deployments, with a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

An authenticated attacker with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation enables arbitrary code execution on the n8n service, potentially leading to full system compromise, including high impacts on confidentiality, integrity, and availability due to the changed scope.

The vulnerability is fixed in n8n version 1.121.3. Advisories recommend upgrading to the latest version as the primary mitigation, with interim workarounds including disabling the Git node and restricting access for untrusted users to reduce exposure. Details are available in the n8n security advisory (GHSA-v364-rw7m-3263) and the fixing commit (f4b009d00d1f4ba9359b8e8f1c071e3d910a55f6).

Details

CWE(s): CWE-94 CWE-434

Affected Products

n8n

0.123.0 — 1.121.3

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2026-21877 enables authenticated remote code execution in the public-facing n8n workflow automation platform via improper code generation control and unrestricted file upload, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/n8n-io/n8n/commit/f4b009d00d1f4ba9359b8e8f1c071e3d910a55f6
Patch · security-advisories@github.com
https://github.com/n8n-io/n8n/security/advisories/GHSA-v364-rw7m-3263
Vendor Advisory · security-advisories@github.com