CVE-2026-21877
Published: 08 January 2026
Summary
CVE-2026-21877 is a critical-severity Code Injection (CWE-94) vulnerability in N8N N8N. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2026-21877 by requiring timely remediation of the specific code execution flaw through patching to version 1.121.3.
Reduces exposure to the vulnerability by disabling unnecessary features like the Git node, as recommended in the advisory.
Prevents code injection attacks (CWE-94) underlying CVE-2026-21877 by validating inputs to the n8n service for malicious code.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-21877 enables authenticated remote code execution in the public-facing n8n workflow automation platform via improper code generation control and unrestricted file upload, directly facilitating T1190: Exploit Public-Facing Application.
NVD Description
n8n is an open source workflow automation platform. In versions 0.121.2 and below, an authenticated attacker may be able to execute malicious code using the n8n service. This could result in full compromise and can impact both self-hosted and n8n…
more
Cloud instances. This issue is fixed in version 1.121.3. Administrators can reduce exposure by disabling the Git node and limiting access for untrusted users, but upgrading to the latest version is recommended.
Deeper analysisAI
CVE-2026-21877 is a critical code execution vulnerability (CWE-94: Improper Control of Generation of Code, CWE-434: Unrestricted Upload of File with Dangerous Type) affecting n8n, an open source workflow automation platform. Versions 0.121.2 and prior are vulnerable, allowing an authenticated attacker to execute malicious code through the n8n service. The issue impacts both self-hosted instances and n8n Cloud deployments, with a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
An authenticated attacker with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation enables arbitrary code execution on the n8n service, potentially leading to full system compromise, including high impacts on confidentiality, integrity, and availability due to the changed scope.
The vulnerability is fixed in n8n version 1.121.3. Advisories recommend upgrading to the latest version as the primary mitigation, with interim workarounds including disabling the Git node and restricting access for untrusted users to reduce exposure. Details are available in the n8n security advisory (GHSA-v364-rw7m-3263) and the fixing commit (f4b009d00d1f4ba9359b8e8f1c071e3d910a55f6).
Details
- CWE(s)