Critical Security Flaw in n8n Poses Remote Code Execution Risk
n8n, the open-source workflow automation platform, has identified a critical security vulnerability that could allow authenticated users to execute arbitrary code remotely. This flaw, designated as CVE-2026-21877, has been assigned the highest possible severity rating of 10.0 on the Common Vulnerability Scoring System (CVSS).
The vulnerability affects both self-hosted and cloud-based instances of n8n, specifically versions from 0.123.0 up to, but not including, 1.121.3. The issue has been resolved in version 1.121.3, released in November 2025. Security researcher Théo Lelasseux is credited with discovering and reporting this flaw.
To mitigate the risk, users are strongly advised to upgrade to version 1.121.3 or later. If immediate updating is not feasible, administrators should disable the Git node and restrict access for untrusted users to minimize exposure.
This disclosure follows a series of critical vulnerabilities addressed by n8n, including CVE-2025-68613 and CVE-2025-68668, both with CVSS scores of 9.9, which could also lead to code execution under specific conditions.
