CVE-2026-21893
published 2026-02-04CVE-2026-21893: n8n is an open source workflow automation platform. From version 0.187.0 to before 1.120.3, a command injection vulnerability was identified in n8n’s community…
PriorityP352high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
1.34%
67.9th percentile
n8n is an open source workflow automation platform. From version 0.187.0 to before 1.120.3, a command injection vulnerability was identified in n8n’s community package installation functionality. The issue allowed authenticated users with administrative permissions to execute arbitrary system commands on the n8n host under specific conditions. This issue has been patched in version 1.120.3.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| n8n-io | n8n | — | — |
| n8n | n8n | >= 0.187.0 < 1.120.3 | 1.120.3 |
| n8n | n8n | >= 0.187.0 < 1.120.3 | 1.120.3 |
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.4CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
n8n Vulnerable to Command Injection in Community Package Installation
osv·2026-02-04
CVE-2026-21893 [CRITICAL] n8n Vulnerable to Command Injection in Community Package Installation
n8n Vulnerable to Command Injection in Community Package Installation
### Impact
A Command Injection vulnerability was identified in n8n’s community package installation functionality. The issue allowed authenticated users with administrative permissions to execute arbitrary system commands on the n8n host under specific conditions.
**Important context**
- Exploitation requires _administrative_ access to the n8n instance.
- The affected functionality is restricted to trusted users who are already permitted to install third-party community packages.
- No unauthenticated or low-privilege exploitation is possible.
- There is no evidence of exploitation in the wild.
Because administrative users can already extend n8n with custom or community code, the vulnerability does not meaningfully ex
GHSA
n8n Vulnerable to Command Injection in Community Package Installation
ghsa·2026-02-04
CVE-2026-21893 [CRITICAL] CWE-20 n8n Vulnerable to Command Injection in Community Package Installation
n8n Vulnerable to Command Injection in Community Package Installation
### Impact
A Command Injection vulnerability was identified in n8n’s community package installation functionality. The issue allowed authenticated users with administrative permissions to execute arbitrary system commands on the n8n host under specific conditions.
**Important context**
- Exploitation requires _administrative_ access to the n8n instance.
- The affected functionality is restricted to trusted users who are already permitted to install third-party community packages.
- No unauthenticated or low-privilege exploitation is possible.
- There is no evidence of exploitation in the wild.
Because administrative users can already extend n8n with custom or community code, the vulnerability does not meaningfully ex
No detection rules found.
No public exploits indexed.
2026-02-04
Published