N8n Warns of Remote Code Execution Vulnerability (CVE-2026-21877)

N8n is vulnerable to a maximum severity flaw that could allow an authenticated attacker to execute arbitrary code with the privileges of the n8n process. Tracked as CVE-2026-21877, the vulnerability has a CVSS score of 10. Under certain conditions, an authenticated user may cause untrusted code to be executed by the n8n service. This could result in complete compromise of the affected instances.

n8n is a powerful, open-source workflow automation tool that enables users to visually design and automate complex processes by connecting various apps, APIs, and services. It functions as a digital hub, transferring data and triggering actions between tools without manual intervention, while offering deep customization through code (JavaScript/Python).

Affected versions

The vulnerability affects the following N8n versions:

• >= 0.123.0
• < 1.121.3

Note: The vulnerability affects both self-hosted and n8n Cloud instances.

Mitigation

Users must upgrade to N8n version 1.121.3 to patch the vulnerability.

For more information, please refer to the GitHub Security Advisory.

Workarounds

If administrators cannot upgrade to the latest version, they can reduce exposure by turning off the Git node and limiting access for untrusted users.

Qualys Detection

Qualys customers can scan their devices with QID 733574 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://github.com/n8n-io/n8n/security/advisories/GHSA-v364-rw7m-3263