Another critical RCE flaw reported in n8n automation platform
Take action: Make sure all automation servers are isolated from the internet and accessible from trusted networks only. Update n8n to version 1.121.3 immediately and restrict workflow creation rights to a small group of trusted administrators to prevent unauthorized code execution.
Learn More
n8n released a security update to fix a critical remote code execution (RCE) flaw that allows attackers to take full control of servers.
The vulnerability is tracked as CVE-2026-21877 (CVSS score 10.0), affects both self-hosted and cloud-managed instances. Attackers with low-level authentication can exploit the system to run arbitrary commands. Because n8n often connects to sensitive corporate data like CRMs, email providers, and databases, a breach here can lead to widespread data theft or ransomware deployment across an entire network.
The flaw is caused from how the platform handles user inputs within its workflow expression engine. Attackers can craft malicious expressions that escape the security sandbox and write dangerous files to the server, compromising API credentials and authentication tokens for connected services, internal workflow logic and proprietary business data, customer records stored in linked CRM and database systems and gain full underlying server file systems and network access.
Security researchers estimate that over 100,000 n8n servers are currently exposed online.
Affected versions are n8n versions 0.123.0 through 1.121.2
n8n fixed the flaw in version 1.121.3. The company automatically updated its cloud-hosted customers, but administrators of self-hosted instances must apply the patch manually. If an immediate upgrade is not possible, n8n recommends disabling the Git node and restricting workflow creation permissions to only the most trusted users to limit the attack surface.
