Get a Demo
Under Attack?
CVE-2026-21877: Critical Remote Code Execution in n8n
CVE-2026-21877: Critical Remote Code Execution in n8n

CVE-2026-21877: Critical Remote Code Execution in n8n

<br />
<b>Warning</b>:  Undefined variable $photo in <b>/nas/content/live/landing173/wp-content/themes/bricks/includes/elements/code.php(236) : eval()'d code</b> on line <b>33</b><br />
<br />
<b>Warning</b>:  Trying to access array offset on value of type null in <b>/nas/content/live/landing173/wp-content/themes/bricks/includes/elements/code.php(236) : eval()'d code</b> on line <b>33</b><br />
Avital Harel January 06, 2026

Executive Summary

CVE-2026-21877 is a critical remote code execution vulnerability in n8n that allows an authenticated user to execute arbitrary code on the underlying instance. The issue affects n8n versions >= 0.123.0 and < 1.121.3 and is fixed in 1.121.3 and later. In environments where n8n automates workflows with access to internal systems, credentials, and sensitive data, successful exploitation can pose significant risk beyond the service itself. The vulnerability is tracked as CVE-2026-21877 and GitHub Security Advisory GHSA-v364-rw7m-3263.

Affected Versions

The vulnerability affects n8n versions >= 0.123.0 and < 1.121.3. Both self-hosted deployments and managed environments running these versions are impacted.

Patched Version

The issue is fixed in n8n 1.121.3 and later. Upgrading to this version (or newer) fully addresses the vulnerability.

What Is n8n?

n8n is a workflow automation platform that allows teams to connect APIs, SaaS tools, databases, and custom logic into automated workflows. It is commonly self-hosted and often runs with access to credentials, internal services, and production data – making security issues in the core platform especially impactful.

Impact

Successful exploitation of CVE-2026-21877 can result in arbitrary code execution on the host running n8n. In deployments where n8n is used to automate workflows with access to credentials, internal systems, and sensitive data, this may enable unauthorized access to connected services and downstream production systems.

What We Know So Far

  • The vulnerability can lead to remote code execution
  • Exploitation requires authenticated access
  • The issue is related to unsafe handling that can result in execution of untrusted code
  • The advisory is rated Critical (CVSS 10.0)

No public exploit details or proof-of-concept have been released at this time.

Following the disclosure of CVE-2026-21877, a separate and more severe vulnerability affecting n8n was identified as CVE-2026-21858 (“Ni8mare”). Unlike CVE-2026-21877, which requires authenticated access, CVE-2026-21858 enables unauthenticated remote code execution via exposed webhook endpoints.

Full technical deep dive on CVE-2026-21858.

Recommendations – Immediate Actions

If you are running an affected version:

  1. Upgrade immediately: Update n8n to >= 1.121.3 as soon as possible.
  2. Restrict workflow modification access: Ensure only trusted administrators can create or modify workflows, nodes, or credentials.
  3. Block high-risk nodes where possible: As an additional hardening step, n8n supports blocking specific nodes at runtime. This can reduce risk if untrusted users have access to the platform.
    Follow the official guide:
    https://docs.n8n.io/hosting/securing/blocking-nodes/
  4. Review audit logs and recent changes: Look for unexpected workflow edits or suspicious activity prior to patching.
401 Authorization Required

401 Authorization Required


nginx
Contents

Further Reading

Superhuman AI

Security AI Needs an Honest Scoreboard: What It’s Superhuman At, and Where It Comes Up Short

If you follow AI at all, you know the leaderboards. Every few weeks a model takes the top spot, and we all check where our favorite landed. But a leaderboard only tells you who's ahead, and it stays quiet about where any of those models still come up short. Which, conveniently, is the part that…
Focus Mode

Find What Matters with Upwind Focus Mode

Focus Mode is now available in the Upwind platform, giving security teams a faster, more focused way to work. Instead of navigating across the platform, you can switch to Focus Mode to slice and dice the Upwind platform by Vulnerability Management, Cloud Security Posture, Attack Surface Management, Administration, or Threats, and starting next week, AI…
Early Advisories

Introducing Early Advisories: Turn Emerging Threats into Action

We’re excited to introduce Early Advisories as part of the Upwind platform. Powered by Upwind's security research team, Early Advisories notify customers about emerging threats, including zero-days and supply chain attacks, before they receive a CVE identifier. Early Advisories are published directly into the Vulnerabilities module alongside CVE-based findings and automatically correlated with your live…