"Open-source workflow automation platform n8n has warned of a maximum-severity security flaw that, if successfully exploited, could result in authenticated remote code execution (RCE). The vulnerability, which has been assigned the CVE identifier CVE-2026-21877, is rated 10.0 on the CVSS scoring system. "Under certain conditions, an authenticated user may be able to cause untrusted code to be executed by the n8n service," n8n said in an advisory released Tuesday."
"The maintainers said both self-hosted deployments and n8n Cloud instances are impacted. The issue impacts the following versions - It has been addressed in version 1.121.3, which was released in November 2025. Security researcher Théo Lelasseux (@ theolelasseux) has been credited with discovering and reporting the flaw. Users are advised to upgrade to this version or later to completely address the vulnerability. If immediate patching is not possible, it's essential that administrators limit exposure by disabling the Git node and limiting access for untrusted users."
n8n contains a maximum-severity vulnerability, CVE-2026-21877, rated 10.0 on the CVSS scale, that can allow authenticated remote code execution (RCE). Under certain conditions an authenticated user may cause untrusted code to be executed by the n8n service, potentially leading to full compromise of an affected instance. Both self-hosted deployments and n8n Cloud instances are impacted. The flaw is fixed in n8n version 1.121.3 released November 2025. Security researcher Théo Lelasseux reported the vulnerability. Administrators should upgrade to 1.121.3 or later; if immediate patching is impossible, disable the Git node and restrict access for untrusted users. n8n previously addressed similar critical RCE flaws CVE-2025-68613 and CVE-2025-68668.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]