CVE-2026-21877: Critical Remote Code Execution in n8n

Executive Summary

CVE-2026-21877 is a critical remote code execution vulnerability in n8n that allows an authenticated user to execute arbitrary code on the underlying instance. The issue affects n8n versions >= 0.123.0 and < 1.121.3 and is fixed in 1.121.3 and later. In environments where n8n automates workflows with access to internal systems, credentials, and sensitive data, successful exploitation can pose significant risk beyond the service itself. The vulnerability is tracked as CVE-2026-21877 and GitHub Security Advisory GHSA-v364-rw7m-3263.

Affected Versions

The vulnerability affects n8n versions >= 0.123.0 and < 1.121.3. Both self-hosted deployments and managed environments running these versions are impacted.

Patched Version

The issue is fixed in n8n 1.121.3 and later. Upgrading to this version (or newer) fully addresses the vulnerability.

What Is n8n?

n8n is a workflow automation platform that allows teams to connect APIs, SaaS tools, databases, and custom logic into automated workflows. It is commonly self-hosted and often runs with access to credentials, internal services, and production data – making security issues in the core platform especially impactful.

Impact

Successful exploitation of CVE-2026-21877 can result in arbitrary code execution on the host running n8n. In deployments where n8n is used to automate workflows with access to credentials, internal systems, and sensitive data, this may enable unauthorized access to connected services and downstream production systems.

What We Know So Far

• The vulnerability can lead to remote code execution
• Exploitation requires authenticated access
• The issue is related to unsafe handling that can result in execution of untrusted code
• The advisory is rated Critical (CVSS 10.0)

No public exploit details or proof-of-concept have been released at this time.

Related Research: Unauthenticated RCE in n8n (CVE-2026-21858)

Following the disclosure of CVE-2026-21877, a separate and more severe vulnerability affecting n8n was identified as CVE-2026-21858 (“Ni8mare”). Unlike CVE-2026-21877, which requires authenticated access, CVE-2026-21858 enables unauthenticated remote code execution via exposed webhook endpoints.

Full technical deep dive on CVE-2026-21858.

Recommendations – Immediate Actions

If you are running an affected version:

1. Upgrade immediately: Update n8n to >= 1.121.3 as soon as possible.
2. Restrict workflow modification access: Ensure only trusted administrators can create or modify workflows, nodes, or credentials.
3. Block high-risk nodes where possible: As an additional hardening step, n8n supports blocking specific nodes at runtime. This can reduce risk if untrusted users have access to the platform.
   Follow the official guide:
   https://docs.n8n.io/hosting/securing/blocking-nodes/
4. Review audit logs and recent changes: Look for unexpected workflow edits or suspicious activity prior to patching.