CVE-2026-21893
Published: 04 February 2026
Summary
CVE-2026-21893 is a critical-severity Improper Input Validation (CWE-20) vulnerability in N8N N8N. Its CVSS base score is 9.4 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 32.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-21893 is a command injection vulnerability (CWE-20, CWE-78) in the community package installation functionality of n8n, an open source workflow automation platform. The flaw affects versions from 0.187.0 up to but not including 1.120.3, enabling authenticated administrative users to execute arbitrary system commands on the n8n host under specific conditions. It carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts.
Exploitation requires an authenticated attacker with administrative permissions on the n8n instance. From a network-accessible position with low attack complexity and no user interaction needed, such an attacker can inject and execute arbitrary commands on the underlying host system, potentially leading to full compromise of the server running n8n.
The vulnerability has been addressed in n8n version 1.120.3. Official mitigation details are available in the n8n security advisory at GHSA-7c4h-vh2m-743m and the patching commit ae0669a736cc496beeb296e115267862727ae838 on the project's GitHub repository, which security practitioners should review for implementation guidance and verification steps.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5369
Vulnerability details
n8n is an open source workflow automation platform. From version 0.187.0 to before 1.120.3, a command injection vulnerability was identified in n8n’s community package installation functionality. The issue allowed authenticated users with administrative permissions to execute arbitrary system commands on…
more
the n8n host under specific conditions. This issue has been patched in version 1.120.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection vuln in public-facing n8n web app directly enables remote OS command execution (T1190 + T1059).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces input validation and sanitization on package installation parameters to block command injection (CWE-78) before arbitrary system commands can execute.
Requires timely identification and remediation of the identified flaw by upgrading n8n to version 1.120.3 or later, eliminating the vulnerable code path.
Limits the number of users granted administrative privileges required to reach the community package installation function, reducing the population able to trigger the injection.