n8n Warns of CVSS 10.0 RCE Vulnerability Affecting Self-Hosted and Cloud Versions
n8n Warns of CVSS 10.0 RCE Vulnerability Affecting Self-Hosted and Cloud Versions
Open-source workflow automation platform n8n has warned of a maximum-severity security flaw that, if successfully exploited, could result in authenticated remote code execution (RCE).
The vulnerability, which has been assigned the CVE identifier CVE-2026-21877, is rated 10.0 on the CVSS scoring system.
“Under certain conditions, an authenticated user may be able to cause untrusted code to be executed by the n8n service,” n8n said in an advisory released Tuesday. “This could result in full compromise of the affected instance.”
The maintainers said both self-hosted deployments and n8n Cloud instances are impacted. The issue impacts the following versions –
- >= 0.123.0
- < 1.121.3
It has been addressed in version 1.121.3, which was released in November 2025. Security researcher Théo Lelasseux (@theolelasseux) has been credited with discovering and reporting the flaw.
Users are advised to upgrade to this version or later to completely address the vulnerability. If immediate patching is not possible, it’s essential that administrators limit exposure by disabling the Git node and limiting access for untrusted users.
The disclosure comes as n8n has addressed a steady stream of critical flaws in the platform (CVE-2025-68613 and CVE-2025-68668, CVSS scores: 9.9) that could lead to code execution under specific conditions.
About Author
