The workflow automation platform n8n has disclosed a critical security vulnerability that could allow authenticated users to execute unauthorized code on its service. Assigned a maximum CVSS score of 10.0, the flaw affects both self-hosted and cloud-based instances across a wide range of versions released since version 0.123.0.

The security flaw, identified as CVE-2026-21877, represents a significant threat because it allows for authenticated remote code execution. Under specific conditions, an attacker with existing credentials could exploit the system to gain full control over the affected instance. This high-severity rating highlights the potential for complete system compromise if the vulnerability is not mitigated.

The issue impacts a broad spectrum of the platform's history, specifically targeting versions starting from 0.123.0 up to any version prior to 1.121.3. Both the n8n Cloud service and independent self-hosted deployments were found to be susceptible. The discovery of this vulnerability is credited to security researcher Théo Lelasseux, who reported the findings to the maintainers.

In response to the discovery, n8n released version 1.121.3 in November 2025 to provide a permanent fix. Users are strongly encouraged to update their installations to this version or a more recent release to ensure their environments are protected. Staying on older versions leaves the infrastructure vulnerable to exploits that could lead to total data or service loss.

For administrators who are unable to apply the patch immediately, the maintainers have suggested temporary workarounds to reduce risk. These measures include disabling the Git node functionality and strictly limiting system access for any untrusted users. These steps are intended to narrow the attack surface until a full upgrade can be performed.

This latest disclosure follows a pattern of critical security updates for the platform, which has recently addressed other high-severity flaws capable of code execution. The recurring nature of these vulnerabilities underscores the importance of maintaining up-to-date software in automated environments. By prioritizing this update, organizations can defend against the escalating risks associated with authenticated remote code execution.

Source: n8n Warns Of CVSS 10 RCE Vulnerability In Self Hosted And Cloud Versions