n8n Warns of CVSS 10.0 RCE Vulnerability Affecting Self-Hosted and Cloud Versions_THN:86D0032F172AED3D7B6FA4644AD3D1CF

{
    "lastseen": "2026-01-07T11:28:31",
    "description": "![](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)\n\nOpen-source workflow automation platform n8n has warned of a maximum-severity security flaw that, if successfully exploited, could result in authenticated remote code execution (RCE).\n\nThe vulnerability, which has been assigned the CVE identifier **CVE-2026-21877** , is rated 10.0 on the CVSS scoring system.\n\n\"Under certain conditions, an authenticated user may be able to cause untrusted code to be executed by the n8n service,\" n8n said in an advisory released Tuesday. \"This could result in full compromise of the affected instance.\"\n\n![Cybersecurity](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)\n\nThe maintainers said both self-hosted deployments and n8n Cloud instances are impacted. The issue impacts the following versions -\n\n  * >= 0.123.0\n  * < 1.121.3\n\n\n\nIt has been addressed in version 1.121.3, which was released in November 2025. Security researcher Th\u00e9o Lelasseux (@theolelasseux) has been credited with discovering and reporting the flaw.\n\nUsers are advised to upgrade to this version or later to completely address the vulnerability. If immediate patching is not possible, it's essential that administrators limit exposure by disabling the Git node and limiting access for untrusted users.\n\nThe disclosure comes as n8n has addressed a steady stream of critical flaws in the platform (CVE-2025-68613 and CVE-2025-68668, CVSS scores: 9.9) that could lead to code execution under specific conditions.\n\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.\n",
    "published": "2026-01-07T11:26:00",
    "modified": "2026-01-07T11:26:47",
    "type": "thn",
    "title": "n8n Warns of CVSS 10.0 RCE Vulnerability Affecting Self-Hosted and Cloud Versions",
    "source": "",
    "references": "",
    "id": "THN:86D0032F172AED3D7B6FA4644AD3D1CF",
    "bulletinFamily": "info",
    "cwe": null,
    "cvelist": [
        "CVE-2025-68613",
        "CVE-2025-68668",
        "CVE-2026-21877"
    ],
    "sourceData": "",
    "sourceHref": "",
    "cvss": {
        "score": 9.9,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://thehackernews.com/2026/01/n8n-warns-of-cvss-100-rce-vulnerability.html",
    "category_name": "News",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}