CVE-2026-21893
HIGH
GHSA-7c4h-vh2m-743m
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
n8n is an open source workflow automation platform. From version 0.187.0 to before 1.120.3, a command injection vulnerability was identified in n8n’s community package installation functionality. The issue allowed authenticated users with administrative permissions to execute arbitrary system commands on the n8n host under specific conditions. This issue has been patched in version 1.120.3.
Analysis
n8n versions 0.187.0 through 1.120.2 contain a command injection vulnerability in the community package installation feature that allows authenticated administrators to execute arbitrary system commands on the host. The vulnerability requires high privilege access and specific conditions to exploit but carries high risk due to potential complete system compromise. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all n8n deployments and identify systems running affected versions (0.187.0-1.120.2). Within 7 days: Apply patch to version 1.120.3 or later across all instances; if immediate patching is impossible, restrict package installation functionality to administrators only and disable community package sources. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today