CVE-2026-21893 | THREATINT

Description

n8n is an open source workflow automation platform. From version 0.187.0 to before 1.120.3, a command injection vulnerability was identified in n8n’s community package installation functionality. The issue allowed authenticated users with administrative permissions to execute arbitrary system commands on the n8n host under specific conditions. This issue has been patched in version 1.120.3.

PUBLISHED Reserved 2026-01-05 | Published 2026-02-04 | Updated 2026-02-04 | Assigner GitHub_M

CRITICAL: 9.4CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Problem types

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-20: Improper Input Validation

Product status

>= 0.187.0, < 1.120.3

affected

References

github.com/...io/n8n/security/advisories/GHSA-7c4h-vh2m-743m

github.com/...ommit/ae0669a736cc496beeb296e115267862727ae838

cve.org (CVE-2026-21893)

nvd.nist.gov (CVE-2026-21893)

Download JSON