CVE-2026-21893
Published: 04 February 2026
Summary
CVE-2026-21893 is a high-severity Improper Input Validation (CWE-20) vulnerability in N8N N8N. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Directly implements checks on information inputs to reject invalid data before processing.
Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.
Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.
Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.
Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection vuln in public-facing n8n web app directly enables remote OS command execution (T1190 + T1059).
NVD Description
n8n is an open source workflow automation platform. From version 0.187.0 to before 1.120.3, a command injection vulnerability was identified in n8n’s community package installation functionality. The issue allowed authenticated users with administrative permissions to execute arbitrary system commands on…
more
the n8n host under specific conditions. This issue has been patched in version 1.120.3.
Deeper analysisAI
CVE-2026-21893 is a command injection vulnerability (CWE-20, CWE-78) in the community package installation functionality of n8n, an open source workflow automation platform. The flaw affects versions from 0.187.0 up to but not including 1.120.3, enabling authenticated administrative users to execute arbitrary system commands on the n8n host under specific conditions. It carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts.
Exploitation requires an authenticated attacker with administrative permissions on the n8n instance. From a network-accessible position with low attack complexity and no user interaction needed, such an attacker can inject and execute arbitrary commands on the underlying host system, potentially leading to full compromise of the server running n8n.
The vulnerability has been addressed in n8n version 1.120.3. Official mitigation details are available in the n8n security advisory at GHSA-7c4h-vh2m-743m and the patching commit ae0669a736cc496beeb296e115267862727ae838 on the project's GitHub repository, which security practitioners should review for implementation guidance and verification steps.
Details
- CWE(s)