Penelope Iroko Table of Contents
The n8n RCE vulnerability received a maximum CVSS 10.0 rating, enabling authenticated remote code execution on both self-hosted and n8n Cloud instances. The vendor shipped a fix in version 1.121.3.
Cataloged as the CVE-2026-21877 vulnerability, the flaw permits execution of untrusted code that can fully compromise an affected instance. n8n confirmed broad impact across supported deployments.
Security researcher Théo Lelasseux reported the issue through coordinated disclosure. Teams unable to patch immediately should disable the Git node and restrict access for untrusted users until an urgent upgrade is completed.
n8n RCE vulnerability: What You Need to Know
- Critical authenticated RCE across self-hosted and cloud deployments; upgrade to 1.121.3 or later, or disable Git node and restrict untrusted access immediately.
- Bitdefender — Harden endpoints against RCE and lateral movement.
- 1Password — Enforce strong authentication and least privilege.
- Tenable — Discover and prioritize exposure to RCE-class flaws.
- IDrive — Protect critical workflows with secure, encrypted backups.
CVE-2026-21877 at a glance
What happened
n8n’s advisory states an authenticated user could, under specific conditions, trigger execution of untrusted code within core services. The n8n RCE vulnerability carries a CVSS 10.0 score due to potential full instance takeover.
What versions are affected
All builds from 0.123.0 up to, but not including, 1.121.3 are vulnerable across self-hosted and n8n Cloud. Any deployment running versions >= 0.123.0 and < 1.121.3 remains exposed to the n8n RCE vulnerability.
Fix availability
The patch is available in n8n 1.121.3, released in November 2025. Upgrading to 1.121.3 or later fully remediates the CVE-2026-21877 vulnerability. Patching is the only complete fix for the n8n RCE vulnerability.
Temporary risk reduction
If immediate patching is not feasible, n8n advises disabling the Git node and restricting access for untrusted users. These steps limit exposure to the n8n RCE vulnerability while upgrades are scheduled.
Severity and context
Why a CVSS 10.0 matters
A maximum CVSS score reflects catastrophic impact and limited containment once exploited. With authenticated RCE, a valid user or a compromised account can run arbitrary code, escalate privileges, and move laterally.
Left unpatched, the n8n RCE vulnerability can enable full instance takeover.
Previous critical issues reinforce urgency
The disclosure follows other serious n8n fixes, including CVE-2025-68613 and CVE-2025-68668 (both CVSS 9.9), which under certain conditions could also lead to code execution.
For comparison cases, see the analysis of a code execution flaw in a scanning tool and a report on a critical RCE in Apache MINA. Broader readiness measures appear in this round-up of critical vulnerability discoveries.
Guidance for teams
Immediate actions
Prioritize an emergency update to 1.121.3 or later. Treat the n8n RCE vulnerability as a change-control exception given its CVSS 10.0 score and full compromise potential.
For self-hosted instances
Back up configurations and workflows, then upgrade to 1.121.3 or newer without delay. Until upgraded, disable the Git node and limit access for untrusted users. These measures reduce exposure to the n8n RCE vulnerability without architectural changes.
For n8n Cloud customers
Confirm your environment is at or above 1.121.3 through console checks or vendor notices. Apply least-privilege roles and restrict untrusted access while the n8n RCE vulnerability is addressed across hosted infrastructure.
Verification and monitoring
After patching, confirm the running version is 1.121.3 or later, review audit logs for suspicious activity during the exposure window, and validate Git-related integrations.
Document lessons learned and update playbooks to strengthen n8n workflow automation security following remediation.
Implications for n8n workflow automation security
Advantages: Rapid availability of 1.121.3 and clear interim guidance indicate a responsive security posture. The vendor’s targeted mitigations give teams practical steps to reduce risk from the n8n RCE vulnerability while upgrades proceed.
Disadvantages: Because exploitation requires authentication, compromised or mismanaged accounts can become launchpads for full compromise. The wide affected range (>= 0.123.0 < 1.121.3) increases the likelihood of exposed deployments, pressuring organizations with slower patch cycles.
Conclusion
The vendor’s advisory is unequivocal: the n8n RCE vulnerability is critical and demands immediate remediation. Its CVSS 10.0 rating and full takeover risk warrant top-tier priority.
Upgrade to n8n 1.121.3 or later without delay. If patching must wait, disable the Git node and restrict untrusted access, then schedule the upgrade as an urgent change.
Security researcher Théo Lelasseux’s responsible disclosure of the CVE-2026-21877 vulnerability enabled a rapid fix and clear guidance, helping organizations reinforce n8n workflow automation security postures.
Questions Worth Answering
What is CVE-2026-21877?
– An authenticated remote code execution flaw in n8n, rated CVSS 10.0, that can lead to full instance compromise under specific conditions.
Who is affected by this issue?
– Both self-hosted and n8n Cloud deployments running versions 0.123.0 to below 1.121.3 are impacted.
Does the attack require authentication?
– Yes. An authenticated user can trigger execution of untrusted code under certain conditions.
What’s the fix for the n8n RCE vulnerability?
– Upgrade to n8n version 1.121.3 or later to fully remediate the CVE-2026-21877 vulnerability.
What if I cannot patch immediately?
– Disable the Git node and restrict access for untrusted users, then prioritize the upgrade window.
Does this affect n8n Cloud?
– Yes. Ensure your cloud environment is running 1.121.3 or newer and enforce least-privilege access.
Who discovered the flaw?
– Security researcher Théo Lelasseux reported the vulnerability through responsible disclosure.
About n8n
n8n is an open-source workflow automation platform offering self-hosted and managed cloud options. It connects services and automates processes with low-code building blocks.
The platform integrates with databases, SaaS apps, and developer tools to orchestrate data flows and tasks. Its node-based design supports both technical and semi-technical users.
n8n supports extensibility through custom nodes and community contributions. The project issues security advisories and updates to address vulnerabilities and improve reliability.
About Théo Lelasseux
Théo Lelasseux is a security researcher credited with reporting CVE-2026-21877 to n8n. His disclosure enabled timely remediation.
Known as @theolelasseux, he shares research and findings publicly. His work underscores the value of coordinated vulnerability reporting.
By identifying high-impact issues, he helps vendors improve defenses and supports safer software ecosystems through prompt fixes and guidance.
- Plesk — Streamline patching and server security.
- Optery — Remove exposed personal data from the web.
- Blackbox AI — Accelerate secure code reviews with AI.
