Critical n8n Workflow Automation Platform Vulnerabilities Enable Remote Code Execution
Multiple critical vulnerabilities have been disclosed in the open-source workflow automation platform n8n, exposing both self-hosted and cloud deployments to severe security risks. The most severe flaw, tracked as CVE-2026-21877, allows authenticated attackers to execute arbitrary code on affected instances, potentially granting full control over the system. This vulnerability impacts a wide range of n8n installations, and while patches have been released, unpatched systems remain at risk. Another critical flaw, CVE-2026-21858, has also been highlighted, with reports indicating that over 100,000 servers could be exposed due to the public release of exploit code.
Security researchers have emphasized the urgency of applying available patches to mitigate these threats, as the public availability of exploits significantly increases the likelihood of widespread attacks. Organizations using n8n are strongly advised to update their deployments immediately and review their exposure, especially if instances are accessible from the internet. The vulnerabilities underscore the importance of timely patch management and monitoring for signs of compromise in automation and integration platforms.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Public exploit released for n8n flaw CVE-2026-21858
A public exploit was released for critical n8n vulnerability CVE-2026-21858, increasing the likelihood of active exploitation. Reporting said the flaw exposed roughly 100,000 servers, making it a high-priority issue for organizations running n8n.
n8n patches critical authenticated RCE CVE-2026-21877
A max-severity vulnerability tracked as CVE-2026-21877 was identified in the n8n workflow automation platform, allowing authenticated remote code execution on self-hosted and n8n Cloud instances. The issue had been patched by the time it was publicly reported, reducing risk for updated deployments.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical Remote Code Execution Vulnerability in n8n Workflow Automation Platform
A critical remote code execution vulnerability, tracked as CVE-2026-21877, has been identified in the n8n workflow automation platform. The flaw, rated CVSS 10.0, allows authenticated users to execute arbitrary code on affected n8n instances, posing a significant risk to environments where n8n is used to automate workflows with access to sensitive data, internal systems, and credentials. The vulnerability impacts n8n versions from 0.123.0 up to but not including 1.121.3, affecting both self-hosted and managed deployments. Exploitation requires authenticated access, and the vulnerability is linked to unsafe handling that can result in the execution of untrusted code. The issue has been addressed in n8n version 1.121.3 and later, and users are strongly advised to upgrade immediately to mitigate the risk. Additional recommendations include restricting workflow modification access to trusted administrators, blocking high-risk nodes at runtime, and reviewing audit logs for suspicious activity prior to patching. No public exploit details or proof-of-concept have been released as of the latest advisories. Organizations using n8n should prioritize patching and implement hardening measures to prevent potential compromise of their automation infrastructure.
Mar 21, 2026
Critical Remote Code Execution Vulnerabilities in n8n Workflow Automation Platform
A critical vulnerability, CVE-2025-68613, has been discovered in the n8n open-source workflow automation platform, allowing authenticated users with workflow creation or editing permissions to execute arbitrary system commands on the underlying server. This flaw, rated 9.9 on the CVSS scale, stems from improper sandboxing of JavaScript expressions within workflow definitions, enabling attackers to escape restrictions and gain system-level access. The vulnerability does not require administrative privileges, making it a significant risk in environments with multiple users or weak access controls, and could lead to full system compromise, data exfiltration, workflow sabotage, and lateral movement. Another related vulnerability, CVE-2025-68668, also enables sandbox escape in n8n, turning workflows into potential attack vectors. Both vulnerabilities highlight the urgent need for organizations using n8n to review user permissions, apply available patches, and implement strong access controls to mitigate the risk of exploitation. While there is no current evidence of active exploitation, the ease of attack and the platform's popularity make immediate remediation essential.
Mar 21, 2026
Critical RCE and security-bypass vulnerabilities in n8n workflow automation platform
Researchers reported **critical vulnerabilities in the n8n low-code workflow automation platform** that can enable **host-level compromise**. The issues include **CVE-2026-1470 (CVSS 9.9)** and **CVE-2026-0863 (CVSS 8.5)**, described as allowing attackers to **bypass security controls**, achieve **arbitrary code execution**, and potentially obtain **full control of n8n services**, with downstream exposure of **credentials, API keys, and other sensitive data**. Impact spans **cloud deployments** as well as **self-hosted instances** that have not been patched. Given n8n’s common use to integrate SaaS services and increasingly to orchestrate **LLM-enabled business workflows**, successful exploitation could provide broad access to connected systems and secrets stored in workflows. Coverage also noted the disclosures follow an earlier, separate critical n8n issue reported in late 2025, reinforcing the need for tighter vulnerability management around automation/orchestration tooling. Organizations were urged to **upgrade to patched versions** and review hardening controls for n8n deployments, particularly where the platform has access to high-privilege tokens and production integrations.
Mar 21, 2026