CVE-2026-21877
Unknown Unknown - Not Provided
Remote Code Execution in n8n Workflow Automation Platform

Publication date: 2026-01-08

Last updated on: 2026-01-08

Assigner: GitHub, Inc.

Description
n8n is an open source workflow automation platform. In versions 0.121.2 and below, an authenticated attacker may be able to execute malicious code using the n8n service. This could result in full compromise and can impact both self-hosted and n8n Cloud instances. This issue is fixed in version 1.121.3. Administrators can reduce exposure by disabling the Git node and limiting access for untrusted users, but upgrading to the latest version is recommended.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-08
Last Modified
2026-01-08
Generated
2026-06-16
AI Q&A
2026-01-08
EPSS Evaluated
2026-06-14
NVD
CVE-2026-21877
EUVD
EUVD-2026-1037
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
n8n-io n8n From 0.123.0 (inc) to 1.121.3 (exc)
n8n-io n8n to 0.121.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-21877 is a critical Remote Code Execution (RCE) vulnerability in the n8n workflow automation platform (versions 0.121.2 and below). An authenticated attacker can exploit an arbitrary file write flaw to execute malicious code on the n8n service. This flaw allows the attacker to run untrusted code remotely without user interaction, potentially leading to full system compromise. The vulnerability is related to unrestricted file uploads and unsafe repository path access in the Git node component. It has been fixed by adding checks to block unsafe repository paths and prevent unauthorized file system operations. [1, 2]

Impact Analysis

This vulnerability can lead to a full compromise of both self-hosted and n8n Cloud instances. An attacker with low privileges and no user interaction can remotely execute arbitrary code, which can result in complete loss of confidentiality, integrity, and availability of the affected system. This means sensitive data could be exposed or altered, and the service could be disrupted or controlled by the attacker. [2]

Mitigation Strategies

To mitigate this vulnerability immediately, you should upgrade n8n to version 1.121.3 or later. As a temporary measure before upgrading, disable the Git node and restrict access to the n8n service for untrusted users to reduce exposure. [2]

Compliance Impact

This vulnerability allows an authenticated attacker to execute arbitrary code, potentially leading to full system compromise, which can result in unauthorized access, modification, or disruption of sensitive data. Such impacts on confidentiality, integrity, and availability could lead to non-compliance with standards and regulations like GDPR and HIPAA that require protection of personal and sensitive data. Therefore, organizations using affected versions of n8n may face compliance risks if the vulnerability is exploited. [2]

Detection Guidance

Detection of CVE-2026-21877 involves identifying if your n8n instance is running a vulnerable version (0.121.2 and below, or up to but not including 1.121.3). You can check the n8n version by running the command `n8n --version` on the system hosting n8n. Additionally, monitoring for unusual Git node activity or unauthorized file system access attempts related to repository paths may help detect exploitation attempts. Since the vulnerability involves an arbitrary file write via the Git node, reviewing logs for errors like "Access to the repository path is not allowed" (which appears in patched versions) can indicate attempts to exploit the issue. There are no specific network detection commands provided in the resources. The recommended action is to upgrade to version 1.121.3 or later and disable the Git node or restrict access to untrusted users as temporary mitigations. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21877. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart