CVE-2026-21893: n8n RCE: Automating Your Own Demise via CVE-2026-21893

n8n RCE: Automating Your Own Demise via CVE-2026-21893

Vulnerability ID: CVE-2026-21893
CVSS Score: 9.4
Published: 2026-02-04

A critical OS Command Injection vulnerability in n8n's community package installation logic allows authenticated administrators to execute arbitrary code on the host server. The flaw arises from unsafe string concatenation of the 'version' parameter into a shell command.

TL;DR

Authenticated admins can trigger RCE in n8n versions < 1.120.3 by injecting shell commands into the 'version' field during community package installation. Update immediately.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-78 (OS Command Injection)
• CVSS v4.0: 9.4 (Critical)
• Attack Vector: Network (Authenticated)
• Exploit Status: PoC Available
• Affected Versions: 0.187.0 < 1.120.3
• Patch Commit: ae0669a736

Affected Systems

• n8n Self-Hosted Instances
• n8n Docker Containers
• n8n: >= 0.187.0, < 1.120.3 (Fixed in: 1.120.3)

Code Analysis

Commit: ae0669a

fix(core): Sanitize version string in community package installation

if (version && !valid(version)) { throw new BadRequestError(`Invalid version: ${version}`); }

Exploit Details

• Internal Research: The vulnerability allows command injection via the version parameter.

Mitigation Strategies

• Input Validation (SemVer)
• Least Privilege Execution
• Network Segmentation

Remediation Steps:

1. Identify the current version of n8n via the UI or docker inspect.
2. Pull the latest Docker image: docker pull n8nio/n8n:latest or specifically 1.120.3.
3. Restart the container/service.
4. Verify the update by checking the version number in the bottom left of the dashboard.

References

• GitHub Security Advisory
• Semantic Versioning Specification

---

Read the full report for CVE-2026-21893 on our website for more details including interactive diagrams and full exploit analysis.