Blog Trainings Request a Demo Login
Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | CVE-2026-21877: Max-Severity n8n Flaw Allows Authenticated RCE
Table Of Content
Related Articles
SOCRadar® Cyber Intelligence Inc. | FortiSandbox Vulnerabilities Expose Systems to Auth Bypass and Command Execution
FortiSandbox Vulnerabilities Expose Systems to Auth Bypass and Command Execution
Jun 17, 2026
SOCRadar® Cyber Intelligence Inc. | May 2026: TeamPCP's Supply Chain Blitz Hits Checkmarx, GitHub, and npm
May 2026: TeamPCP's Supply Chain Blitz Hits Checkmarx, GitHub, and npm
Jun 16, 2026
SOCRadar® Cyber Intelligence Inc. | FortiBleed: The Compromise of 30,000 Fortinet Firewalls
FortiBleed: The Compromise of 30,000 Fortinet Firewalls
Jun 16, 2026
SOCRadar® Cyber Intelligence Inc. | CVE-2026-20262: Cisco Catalyst SD-WAN Manager Zero-Day Leads to Root
CVE-2026-20262: Cisco Catalyst SD-WAN Manager Zero-Day Leads to Root
Jun 16, 2026
SOCRadar® Cyber Intelligence Inc. | CVE-2026-35273 in Oracle PeopleSoft PeopleTools EMHub Under Active Exploitation
CVE-2026-35273 in Oracle PeopleSoft PeopleTools EMHub Under Active Exploitation
Jun 12, 2026
Free Dark Web Report
Is your Domain/Email Exposed?
Jan 07, 2026
3 Mins Read
Moon

CVE-2026-21877: Max-Severity n8n Flaw Allows Authenticated RCE

Open-source automation tools are widely used because they simplify complex workflows and reduce operational overhead. However, their deep integration into systems also means that security weaknesses can have serious consequences. Recently, the workflow automation platform n8n disclosed a maximum-severity vulnerability that could allow authenticated attackers to execute arbitrary code on affected instances.

The issue, tracked as CVE-2026-21877, affects both self-hosted deployments and n8n Cloud. It has already been patched, but organizations running vulnerable versions remain exposed until updates are applied.

What Is CVE-2026-21877?

CVE-2026-21877 (CVSS 10.0) is a critical authenticated Remote Code Execution (RCE) vulnerability. Under certain conditions, a legitimate user can abuse application behavior in a way that causes the n8n service to execute untrusted code, ultimately allowing attackers to take full control of the affected automation instance.

The severity rating reflects several factors: low attack complexity, network-based exploitation, minimal privileges required, and high impact on confidentiality, integrity, and availability.

This disclosure follows other recently patched critical issues in n8n – such as CVE-2025-68668 (command execution in the Python Code node) and CVE-2025-68613 (RCE) – highlighting how workflow automation platforms have become high-value targets. As these tools increasingly handle credentials, APIs, and business logic, keeping them up to date is a core part of infrastructure security management.

How Can Authenticated RCE Occur in This Case?

At a high level, the issue stems from an arbitrary file write condition that can be abused by an authenticated user. When combined with how n8n processes workflows and nodes, this flaw can allow attacker-controlled code to be written and later executed by the service.

Because no user interaction is required beyond authentication, exploitation can occur quietly once access is obtained.

Which n8n Versions and Deployments Are Affected?

CVE-2026-21877 impacts n8n versions from 0.123.0 up to, but not including, 1.121.3. Both self-hosted installations and n8n Cloud environments fall within the affected scope.

Organizations running older long-lived deployments are particularly at risk, especially if access controls have not been tightly restricted or if multiple users can create or modify workflows.

What Are the Real-World Risks for Organizations?

If exploited, CVE-2026-21877 could allow attackers to:

  • Execute system-level commands on the n8n host
  • Access credentials stored in workflows or environment variables
  • Modify or disrupt automated business processes
  • Pivot to other internal systems connected through n8n integrations

For teams using n8n in production automation, the risk goes beyond data exposure and extends into operational disruption.

SOCRadar Vulnerability Intelligence

SOCRadar Vulnerability Intelligence

For security teams monitoring critical vulnerabilities like CVE-2026-21877, platforms such as SOCRadar can provide additional context and visibility. By combining Cyber Threat Intelligence and Attack Surface Management (ASM) modules, your organization can easily track newly disclosed issues, understand potential exposure across assets, and prioritize remediation based on real-world risk.

How Has the Issue Been Fixed?

The n8n maintainers resolved the vulnerability in version 1.121.3, released in November 2025. Details are available in the official security advisory published on GitHub.

Security researcher Théo Lelasseux responsibly disclosed the issue, allowing a coordinated fix before widespread abuse.

What Should Administrators Do If They Cannot Patch Immediately?

While upgrading is the recommended solution, temporary mitigations are available for environments where patching is delayed:

These measures do not eliminate the vulnerability but can significantly reduce exposure until an update is applied.