CVE-2026-21893
📋 TL;DR
A command injection vulnerability in n8n's community package installation functionality allows authenticated administrators to execute arbitrary system commands on the host server. This affects n8n installations from version 0.187.0 to before 1.120.3. The vulnerability requires administrative access to exploit.
💻 Affected Systems
- n8n
📦 What is this software?
N8n by N8n
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise allowing attackers to execute arbitrary commands, install malware, exfiltrate data, or pivot to other systems.
Likely Case
Privilege escalation leading to data theft, service disruption, or installation of backdoors by malicious insiders or compromised admin accounts.
If Mitigated
Limited impact due to proper access controls, monitoring, and network segmentation preventing lateral movement.
🎯 Exploit Status
Exploitation requires authenticated administrative access to the n8n interface. The vulnerability is in the package installation feature.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.120.3
Vendor Advisory: https://github.com/n8n-io/n8n/security/advisories/GHSA-7c4h-vh2m-743m
Restart Required: Yes
Instructions:
1. Backup your n8n data and workflows. 2. Update n8n to version 1.120.3 or later using your package manager or deployment method. 3. Restart the n8n service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable community package installation
allTemporarily disable the vulnerable package installation functionality
Set N8N_COMMUNITY_PACKAGES_ENABLED=false in environment variables or configuration
Restrict admin access
allLimit administrative access to only trusted users and implement strong authentication
🧯 If You Can't Patch
- Implement strict network segmentation to isolate n8n instances from critical systems
- Enforce multi-factor authentication for all administrative accounts and monitor admin activity logs
🔍 How to Verify
Check if Vulnerable:
Check n8n version via web interface or API. If version is between 0.187.0 and 1.120.2 inclusive, the system is vulnerable.Check Version:
Check n8n web interface settings or use API endpoint /rest/healthVerify Fix Applied:
Confirm n8n version is 1.120.3 or later and test that community package installation functions properly without command injection.📡 Detection & Monitoring
Log Indicators:
- Unusual package installation attempts
- Suspicious command execution in n8n logs
- Multiple failed authentication attempts followed by admin login
Network Indicators:
- Unexpected outbound connections from n8n server
- Unusual traffic patterns to/from n8n admin interface
SIEM Query:
source="n8n" AND (event="package_install" OR event="command_execution") | stats count by user, command