n8n Issues Critical Security Alert: CVSS 10.0 RCE Vulnerability in Self-Hosted and Cloud Versions
January 7, 2026
Ravie Lakshmanan
Vulnerability / Cloud Security
Open-source workflow automation platform n8n has issued a critical security alert regarding a vulnerability that, if exploited, could lead to authenticated remote code execution (RCE). The flaw, assigned the CVE identifier CVE-2026-21877, is rated a perfect 10.0 on the CVSS scoring system, indicating its severity.
In a security advisory released on Tuesday, n8n warned that under specific conditions, an authenticated user could potentially execute untrusted code within the n8n service, leading to full compromise of the affected instance. This vulnerability affects both self-hosted deployments and n8n Cloud instances, impacting versions greater than or equal to 0.123.0 and less than 1.121.3.
The issue has been addressed in version 1.121.3, released in November 2025. Security researcher Théo Lelasseux is credited with discovering and reporting the flaw. Users are strongly advised to upgrade to this version or later to mitigate the risk.
For those unable to patch immediately, n8n recommends limiting exposure by disabling the Git node and restricting access for untrusted users. This proactive approach is crucial in minimizing the potential impact of the vulnerability.
This security alert comes on the heels of a series of critical flaws in n8n, including CVE-2025-68613 and CVE-2025-68668, both with CVSS scores of 9.9, which could also lead to code execution under specific conditions. These recent discoveries highlight the ongoing need for vigilance and prompt action in addressing security vulnerabilities.
Stay informed and secure by following The Hacker News on Google News, Twitter, and LinkedIn for more exclusive security updates and insights.
