CVSS 10.0 Alert: Critical n8n Flaw CVE-2026-21877 Grants Total Control

n8n, the “fair-code” workflow automation platform beloved by technical teams for blending low-code speed with coding flexibility, has issued a critical security alert. A catastrophic vulnerability, tracked as CVE-2026-21877, has been discovered that carries the maximum possible CVSS score of 10.0, threatening both self-hosted and cloud-based instances with total compromise.

The vulnerability, described as Remote Code Execution (RCE) via Arbitrary File Write, allows an authenticated user to overwrite critical files and execute untrusted code on the server, effectively handing them the keys to the kingdom.

While details on the exact exploitation method are sparse to prevent widespread abuse, the mitigation advice offers a strong clue: the vulnerability appears to live in the platform’s version control capabilities.

The advisory explicitly notes that the flaw allows an attacker to “cause untrusted code to be executed by the n8n service”. This is achieved through an “Arbitrary File Write” mechanism.

The suggested workaround points the finger at the Git node, a feature likely used for versioning workflows. Administrators unable to patch immediately are advised to “reduce exposure by disabling the Git node,” suggesting this component is the vector used to write the malicious files.

A CVSS score of 10 is rare and reserved for the most dangerous vulnerabilities—those that are easy to exploit, require low complexity, and result in total loss of confidentiality, integrity, and availability.

In this case, while the attack requires an “authenticated user,” n8n is often used collaboratively. A single compromised user account—or a malicious insider—could leverage this flaw to trigger a “full compromise of the affected instance”.

The risk is universal: “Both self-hosted and n8n Cloud instances are impacted”.

The n8n team has moved quickly to plug the hole. The vulnerability is resolved in n8n version 1.121.3.

All users are strongly advised to upgrade to this version or later immediately. For those who cannot take the system offline for an update right now, the primary defense is to disable the Git node and strictly limit access to trusted users only.

Related Posts:

• n8n Under Fire: Critical CVSS 10.0 RCE Vulnerability Grants Total Server Access
• n8n Sandbox Escape: How CVE-2025-68668 Turns Workflows into Weapons
• Critical n8n RCE Flaw (CVE-2025-65964) Allows Remote Code Execution via Git Node Configuration Manipulation
• Google Announces Git protocol version 2, Bringing Significant Performance Improvements