CRITICALCVE-2026-21893Published 2026-02-04Modified 2026-02-04CNA GitHub_M

CVE-2026-21893: n8n Vulnerable to Command Injection in Community Package Installation

n8n is an open source workflow automation platform. From version 0.187.0 to before 1.120.3, a command injection vulnerability was identified in n8n’s community package installation functionality. The issue allowed authenticated users with administrative permissions to execute arbitrary system commands on the n8n host under specific conditions. This issue has been patched in version 1.120.3.

CVSS v4.0: 9.4
Severity: CRITICAL
Fixed in: —
Affected Products: 1

Affected packages

n8n-io / n8n
>= 0.187.0, < 1.120.3

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References

https://github.com/n8n-io/n8n/security/advisories/GHSA-7c4h-vh2m-743m
https://github.com/n8n-io/n8n/commit/ae0669a736cc496beeb296e115267862727ae838

Metrics