CVE-2026-21877 – This vulnerability allows authenticated attacke... (How to Fix)

Q: What is the severity of CVE-2026-21877?

CVE-2026-21877 has a CVSS score of 9.9 (CRITICAL). This vulnerability allows authenticated attackers to execute arbitrary code on n8n workflow automation platforms, leading to full system compromise. It affects both self-hosted and n8n Cloud instances running versions 0.121.2 and below. Attackers can potentially gain complete control over affected systems.

📋 TL;DR

This vulnerability allows authenticated attackers to execute arbitrary code on n8n workflow automation platforms, leading to full system compromise. It affects both self-hosted and n8n Cloud instances running versions 0.121.2 and below. Attackers can potentially gain complete control over affected systems.

💻 Affected Systems

Products:

n8n

Versions: 0.121.2 and below

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects both self-hosted deployments and n8n Cloud instances. Authentication required but many deployments have user accounts.

📦 What is this software?

N8n by N8n

View all CVEs affecting N8n →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attacker to execute arbitrary code, steal data, deploy ransomware, pivot to other systems, and maintain persistent access.

🟠

Likely Case

Authenticated attackers executing malicious code to steal sensitive workflow data, credentials, and potentially compromise connected systems.

🟢

If Mitigated

Limited impact with proper access controls, though authenticated users could still exploit if they have legitimate access.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires authenticated access but exploit appears straightforward based on advisory description.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.121.3

Vendor Advisory: https://github.com/n8n-io/n8n/security/advisories/GHSA-v364-rw7m-3263

Restart Required: Yes

Instructions:

1. Backup your n8n instance. 2. Update n8n to version 1.121.3 or later using your package manager or deployment method. 3. Restart the n8n service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Disable Git Node

all

Disable the Git node functionality that appears to be involved in the vulnerability

n8n configuration setting to disable Git node (specific command depends on deployment method)

Restrict User Access

all

Limit access to only trusted users and implement principle of least privilege

Review and tighten user permissions in n8n admin interface

🧯 If You Can't Patch

Disable Git node functionality completely
Implement strict access controls and limit n8n access to only essential trusted users

🔍 How to Verify

Check if Vulnerable:

Check n8n version via web interface or API. If version is 0.121.2 or below, system is vulnerable.

Check Version:

Check n8n web interface dashboard or use API endpoint /rest/version

Verify Fix Applied:

Verify n8n version is 1.121.3 or higher after update.

📡 Detection & Monitoring

Log Indicators:

Unusual Git node operations
Suspicious code execution patterns
Authentication from unexpected sources

Network Indicators:

Unexpected outbound connections from n8n instance
Suspicious payloads in n8n API traffic

SIEM Query:

source="n8n" AND (event="git_operation" OR event="code_execution")

📊 Metadata

CVE ID: CVE-2026-21877

CVSS v3 Score: 9.9 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-94

EPSS Score: 14.57% exploit probability (94.3th percentile)

Published: January 8, 2026

Last Updated: January 20, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-21877, you might also want to check these: