CVE-2026-21877 Overview
CVE-2026-21877 is a critical Code Injection vulnerability affecting n8n, an open source workflow automation platform. In versions 0.121.2 and below, an authenticated attacker may be able to execute malicious code using the n8n service through the Git node component. This vulnerability could result in full system compromise and impacts both self-hosted and n8n Cloud instances.
Critical Impact
Authenticated attackers can achieve remote code execution, potentially leading to complete compromise of the n8n instance and underlying infrastructure, affecting both self-hosted deployments and cloud environments.
Affected Products
- n8n versions 0.121.2 and below (self-hosted)
- n8n Cloud instances running vulnerable versions
- n8n Git Node component
Discovery Timeline
- 2026-01-08 - CVE-2026-21877 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2026-21877
Vulnerability Analysis
This vulnerability is classified under CWE-94 (Improper Control of Generation of Code - Code Injection). The flaw resides in the Git node functionality within n8n's execution engine, specifically in how repository paths are handled and validated. When an authenticated user interacts with the Git node, the application fails to properly validate and block certain repository paths, allowing an attacker to manipulate the file system operations in a way that enables arbitrary code execution.
The vulnerability allows attackers with valid credentials to leverage the Git node integration to execute malicious code within the context of the n8n service. Given the workflow automation nature of n8n, successful exploitation could allow attackers to pivot through connected services, access sensitive credentials stored in workflows, or establish persistent access to the compromised environment.
Root Cause
The root cause of this vulnerability lies in insufficient path validation within the Git node component. Prior to the fix, the application did not properly check whether repository paths were potentially dangerous or pointed to blocked locations. The isFilePathBlocked function was not being utilized in the file system helper functions, allowing attackers to specify arbitrary paths that could lead to code execution.
Attack Vector
The attack vector is network-based and requires authentication. An attacker with valid credentials to an n8n instance can craft malicious requests to the Git node that specify specially crafted repository paths. These paths bypass the intended security controls, allowing the attacker to write files to arbitrary locations or execute code through the n8n workflow engine. The attack does not require user interaction and can cross security boundaries (changed scope), potentially affecting systems beyond the n8n instance itself.
The security patch introduces proper path blocking validation in the file system helper functions:
}
return await fsWriteFile(filePath, content, { encoding: 'binary', flag });
},
+
+ isFilePathBlocked,
});
/**
Source: GitHub Commit
Additionally, the Git node now imports and utilizes NodeOperationError to properly throw errors when blocked paths are detected:
INodeType,
INodeTypeDescription,
} from 'n8n-workflow';
-import { NodeConnectionTypes, assertParamIsBoolean, assertParamIsString } from 'n8n-workflow';
+import {
+ NodeConnectionTypes,
+ NodeOperationError,
+ assertParamIsBoolean,
+ assertParamIsString,
+} from 'n8n-workflow';
import type { LogOptions, SimpleGit, SimpleGitOptions } from 'simple-git';
import simpleGit from 'simple-git';
import { URL } from 'url';
Source: GitHub Commit
Detection Methods for CVE-2026-21877
Indicators of Compromise
- Unexpected Git operations or repository cloning activity from n8n workflows
- Unusual file system access patterns originating from the n8n process
- New or modified workflows containing suspicious Git node configurations
- Authentication logs showing repeated access to Git node endpoints
Detection Strategies
- Monitor n8n workflow execution logs for Git node operations with unusual repository paths
- Implement file integrity monitoring on the n8n installation directory and system paths
- Review audit logs for workflow modifications that add or alter Git node configurations
- Deploy network monitoring to detect unexpected outbound connections from n8n instances
Monitoring Recommendations
- Enable verbose logging for n8n workflow executions to capture Git node activity
- Configure alerting for any file write operations outside of expected directories
- Implement user behavior analytics to detect anomalous workflow creation or modification patterns
- Monitor for process spawning or command execution originating from the n8n service
How to Mitigate CVE-2026-21877
Immediate Actions Required
- Upgrade all n8n installations to version 1.121.3 or later immediately
- Disable the Git node functionality if an immediate upgrade is not possible
- Restrict n8n access to trusted users only and review current user permissions
- Audit existing workflows for any suspicious Git node configurations
- Review recent workflow execution history for signs of exploitation
Patch Information
n8n has released version 1.121.3 which addresses this vulnerability by implementing proper repository path validation. The fix ensures that the isFilePathBlocked function is exposed and utilized in file system operations, and the Git node now properly throws NodeOperationError when blocked paths are detected. Administrators should upgrade to this version as soon as possible.
For technical details on the fix, refer to the GitHub Security Advisory and the commit changes.
Workarounds
- Disable the Git node entirely through n8n's node configuration settings
- Implement network segmentation to limit n8n's access to sensitive resources
- Restrict workflow creation and modification permissions to trusted administrators only
- Deploy a web application firewall to filter malicious requests targeting the Git node
# Example: Restricting n8n node access (environment variable)
export N8N_NODES_EXCLUDE="[\"n8n-nodes-base.git\"]"
# Restart n8n service after configuration change
systemctl restart n8n
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
