Share
## https://sploitus.com/exploit?id=416A6CC1-9B66-5015-ABD6-C85F2EB29436
# ๐จ CVE-2026-21877 โ Critical RCE Vulnerability

## ๐งฉ Overview
**CVE-2026-21877** is a **critical authenticated Remote Code Execution (RCE)** vulnerability affecting **n8n**, the popular open-source workflow automation platform.
If exploited, an attacker can execute **arbitrary code on the host system**, potentially leading to **full server compromise**.
---
## ๐ Severity & Scoring
| Metric | Value |
| ----------------------- | --------------------------------------------------------- |
| **Severity** | ๐ฅ **Critical** |
| **CVSS v3 Score** | **9.9 โ 10.0** |
| **Attack Vector** | Network |
| **Privileges Required** | Low (authenticated user) |
| **User Interaction** | None |
| **Impact** | Complete loss of confidentiality, integrity, availability |
---
## ๐ฅ๏ธ Affected Software
### **Product**
* **n8n** (Workflow Automation Platform)
### **Affected Versions**
* Versions **โค 0.121.2**
* Versions **> 0.123.0 and โ ๏ธ Because n8n often integrates with internal systems, cloud APIs, and databases, the **blast radius can be significant**.
---
## ๐ก๏ธ Mitigation & Remediation
### โ
**Recommended Fix (Immediate)**
* ๐ **Upgrade to n8n version `1.121.3` or later**
### ๐ง **Temporary Workarounds**
If upgrading immediately is not possible:
* โ Disable the **Git node** or any nodes that perform file execution
* ๐ Restrict workflow creation/editing to **trusted users only**
* ๐ Minimize privileges for non-admin accounts
### ๐ **Detection & Monitoring**
* Review n8n execution logs for:
* Unexpected command execution
* Suspicious workflow changes
* Monitor outbound connections from the n8n host
* Watch for privilege escalation indicators on the underlying system
---
## ๐ Key Takeaways
* ๐ Exploitation **requires authentication**, but only **low-privilege access**
* ๐ฅ Severity is **maximum-level critical**
* ๐ Impacts both **cloud and self-hosted** deployments
* โณ No widespread public PoC yet โ **patch before one appears**
---
## ๐ง Advisory Summary
> **CVE-2026-21877 allows authenticated attackers to achieve full remote code execution on vulnerable n8n instances, leading to total system compromise if left unpatched.**
---