CVE-2026-21877: CWE-94: Improper Control of Generation of Code ('Code Injection') in n8n-io n8n
n8n is an open source workflow automation platform. In versions 0.121.2 and below, an authenticated attacker may be able to execute malicious code using the n8n service. This could result in full compromise and can impact both self-hosted and n8n Cloud instances. This issue is fixed in version 1.121.3. Administrators can reduce exposure by disabling the Git node and limiting access for untrusted users, but upgrading to the latest version is recommended.
AI Analysis
Technical Summary
CVE-2026-21877 is a critical security vulnerability classified under CWE-94 (Improper Control of Generation of Code) and CWE-434, affecting the open-source workflow automation platform n8n, versions 0.121.2 and earlier. The vulnerability allows an authenticated attacker to inject and execute arbitrary code within the n8n service environment. This is primarily due to insufficient validation and control over code generation processes, particularly involving the Git node, which can be manipulated to run malicious payloads. Because n8n is used to automate workflows that often integrate with various enterprise systems, exploitation can lead to full system compromise, including unauthorized data access, modification, or destruction, and disruption of automated processes. The vulnerability affects both self-hosted deployments and n8n Cloud instances, broadening the attack surface. The CVSS v3.1 base score is 10.0, reflecting the vulnerability’s critical nature: it can be exploited remotely over the network (AV:N), requires low privileges (PR:L), no user interaction (UI:N), and impacts confidentiality, integrity, and availability with a scope change (S:C). Although no known exploits are currently in the wild, the severity and ease of exploitation make this a high-priority issue. The vendor has addressed the vulnerability in version 1.121.3. Until upgrading, administrators are advised to disable the Git node and restrict access to trusted users to reduce exposure.
Potential Impact
For European organizations, the impact of CVE-2026-21877 can be severe. Many enterprises rely on workflow automation platforms like n8n to streamline business processes, integrate disparate systems, and manage data flows. A successful exploit could lead to unauthorized code execution, resulting in data breaches, operational disruption, and potential lateral movement within networks. This could compromise sensitive personal data protected under GDPR, leading to regulatory penalties and reputational damage. Both cloud-based and on-premises deployments are vulnerable, affecting a wide range of sectors including finance, healthcare, manufacturing, and public administration. The critical nature of the vulnerability means attackers could gain persistent control over affected systems, manipulate workflows, or exfiltrate data. Given the interconnected nature of European IT environments and the increasing adoption of automation tools, the threat could propagate quickly if not mitigated. Additionally, disruption of automated workflows could impact business continuity and service delivery.
Mitigation Recommendations
1. Immediate upgrade to n8n version 1.121.3 or later, which contains the patch for this vulnerability. 2. Temporarily disable the Git node functionality in n8n to prevent exploitation via this vector. 3. Restrict access to the n8n platform to trusted and authenticated users only, employing strong authentication mechanisms such as MFA. 4. Implement network segmentation to isolate n8n instances from critical infrastructure and sensitive data stores. 5. Monitor logs and network traffic for unusual activity related to n8n, especially attempts to access or manipulate the Git node. 6. Conduct regular security audits and code reviews of custom workflows to detect potential injection points. 7. Educate administrators and users about the risks of code injection and the importance of applying security updates promptly. 8. Consider deploying runtime application self-protection (RASP) or endpoint detection and response (EDR) solutions to detect and block malicious code execution attempts in real time.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Belgium, Italy, Spain, Poland
CVE-2026-21877: CWE-94: Improper Control of Generation of Code ('Code Injection') in n8n-io n8n
Description
n8n is an open source workflow automation platform. In versions 0.121.2 and below, an authenticated attacker may be able to execute malicious code using the n8n service. This could result in full compromise and can impact both self-hosted and n8n Cloud instances. This issue is fixed in version 1.121.3. Administrators can reduce exposure by disabling the Git node and limiting access for untrusted users, but upgrading to the latest version is recommended.
AI-Powered Analysis
Technical Analysis
CVE-2026-21877 is a critical security vulnerability classified under CWE-94 (Improper Control of Generation of Code) and CWE-434, affecting the open-source workflow automation platform n8n, versions 0.121.2 and earlier. The vulnerability allows an authenticated attacker to inject and execute arbitrary code within the n8n service environment. This is primarily due to insufficient validation and control over code generation processes, particularly involving the Git node, which can be manipulated to run malicious payloads. Because n8n is used to automate workflows that often integrate with various enterprise systems, exploitation can lead to full system compromise, including unauthorized data access, modification, or destruction, and disruption of automated processes. The vulnerability affects both self-hosted deployments and n8n Cloud instances, broadening the attack surface. The CVSS v3.1 base score is 10.0, reflecting the vulnerability’s critical nature: it can be exploited remotely over the network (AV:N), requires low privileges (PR:L), no user interaction (UI:N), and impacts confidentiality, integrity, and availability with a scope change (S:C). Although no known exploits are currently in the wild, the severity and ease of exploitation make this a high-priority issue. The vendor has addressed the vulnerability in version 1.121.3. Until upgrading, administrators are advised to disable the Git node and restrict access to trusted users to reduce exposure.
Potential Impact
For European organizations, the impact of CVE-2026-21877 can be severe. Many enterprises rely on workflow automation platforms like n8n to streamline business processes, integrate disparate systems, and manage data flows. A successful exploit could lead to unauthorized code execution, resulting in data breaches, operational disruption, and potential lateral movement within networks. This could compromise sensitive personal data protected under GDPR, leading to regulatory penalties and reputational damage. Both cloud-based and on-premises deployments are vulnerable, affecting a wide range of sectors including finance, healthcare, manufacturing, and public administration. The critical nature of the vulnerability means attackers could gain persistent control over affected systems, manipulate workflows, or exfiltrate data. Given the interconnected nature of European IT environments and the increasing adoption of automation tools, the threat could propagate quickly if not mitigated. Additionally, disruption of automated workflows could impact business continuity and service delivery.
Mitigation Recommendations
1. Immediate upgrade to n8n version 1.121.3 or later, which contains the patch for this vulnerability. 2. Temporarily disable the Git node functionality in n8n to prevent exploitation via this vector. 3. Restrict access to the n8n platform to trusted and authenticated users only, employing strong authentication mechanisms such as MFA. 4. Implement network segmentation to isolate n8n instances from critical infrastructure and sensitive data stores. 5. Monitor logs and network traffic for unusual activity related to n8n, especially attempts to access or manipulate the Git node. 6. Conduct regular security audits and code reviews of custom workflows to detect potential injection points. 7. Educate administrators and users about the risks of code injection and the importance of applying security updates promptly. 8. Consider deploying runtime application self-protection (RASP) or endpoint detection and response (EDR) solutions to detect and block malicious code execution attempts in real time.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-01-05T17:24:36.928Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 695f0dafe471bcf030f5212d
Added to database: 1/8/2026, 1:51:43 AM
Last enriched: 1/15/2026, 4:38:06 AM
Last updated: 2/6/2026, 11:59:55 PM
Views: 93
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-25762: CWE-400: Uncontrolled Resource Consumption in adonisjs core
HighCVE-2026-25754: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in adonisjs core
HighCVE-2026-25644: CWE-295: Improper Certificate Validation in datahub-project datahub
HighCVE-2026-25804: CWE-287: Improper Authentication in antrea-io antrea
HighCVE-2026-25803: CWE-798: Use of Hard-coded Credentials in denpiligrim 3dp-manager
CriticalActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.