AI Threat Alert AI Threat Alert

CVE-2026-21893: n8n: Input Validation flaw enables exploitation

HIGH
Published February 4, 2026
CISO Take

n8n is the de facto glue layer for AI agent workflows in many organizations, making this command injection especially dangerous: a single compromised admin account escalates to full host RCE. If you're running n8n for AI orchestration, patch to 1.120.3 immediately. Audit admin account access and rotate all credentials stored in n8n workflows — LLM API keys, database passwords, and webhook secrets are all at risk.

Risk Assessment

HIGH risk despite the PR:H (admin-only) requirement. n8n admins routinely store credentials to LLM APIs, databases, SaaS tools, and internal services — full host RCE means total credential harvest. Attack complexity is low once admin access is obtained via phishing, credential stuffing, or insider threat. Organizations deploying n8n as an AI agent orchestration hub face disproportionate blast radius versus a typical web app vulnerability: the n8n process often has broad network access to production systems.

Affected Systems

Package Ecosystem Vulnerable Range Patched
n8n npm No patch
186.5K OpenSSF 6.0 16 dependents Pushed 6d ago 40% patched ~3d to patch Full package profile →

Do you use n8n? You're affected.

Severity & Risk

CVSS 3.1
7.2 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 44% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR High
UI None
S Unchanged
C High
I High
A High

Recommended Action

6 steps

  1. PATCH

    Upgrade n8n to version 1.120.3 immediately — no workaround available for versions 0.187.0 through 1.120.2.

  2. AUDIT

    Review all admin-level accounts in n8n; enforce MFA on every admin account and rotate credentials.

  3. NETWORK

    Restrict n8n admin interface to internal networks or VPN only — do not expose admin UI to the public internet.

  4. SECRETS ROTATION

    Rotate all API keys and credentials stored in n8n workflows as a precautionary measure for any instance that may have been exposed.

  5. DETECT

    Monitor n8n host for unexpected child process spawning from the n8n process, outbound connections on non-standard ports, and anomalous package installation events in application logs.

  6. LEAST PRIVILEGE

    Ensure n8n runs as a non-root OS user with minimal filesystem and network permissions to limit blast radius from command injection.

CISA SSVC Assessment

Decision Track
Exploitation none
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Social Engineering Agent RAG API AML.T0011.001 AML.T0012 AML.T0025 AML.T0049 AML.T0050 AML.T0053 AML.T0072 AML.T0081 AML.T0083 AML.T0085.001

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
A.6.1.2 - Segregation of duties A.6.2.6 - AI system configuration and change management A.9.2 - AI system security
NIST AI RMF
GOVERN 1.2 - Policies, processes, procedures are in place GOVERN 1.7 - Processes and procedures are in place for AI lifecycle management MANAGE 2.2 - Mechanisms are in place to sustain the value of deployed AI systems
OWASP LLM Top 10
LLM05 - Supply Chain Vulnerabilities LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-21893?

n8n is the de facto glue layer for AI agent workflows in many organizations, making this command injection especially dangerous: a single compromised admin account escalates to full host RCE. If you're running n8n for AI orchestration, patch to 1.120.3 immediately. Audit admin account access and rotate all credentials stored in n8n workflows — LLM API keys, database passwords, and webhook secrets are all at risk.

Is CVE-2026-21893 actively exploited?

No confirmed active exploitation of CVE-2026-21893 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-21893?

1. PATCH: Upgrade n8n to version 1.120.3 immediately — no workaround available for versions 0.187.0 through 1.120.2. 2. AUDIT: Review all admin-level accounts in n8n; enforce MFA on every admin account and rotate credentials. 3. NETWORK: Restrict n8n admin interface to internal networks or VPN only — do not expose admin UI to the public internet. 4. SECRETS ROTATION: Rotate all API keys and credentials stored in n8n workflows as a precautionary measure for any instance that may have been exposed. 5. DETECT: Monitor n8n host for unexpected child process spawning from the n8n process, outbound connections on non-standard ports, and anomalous package installation events in application logs. 6. LEAST PRIVILEGE: Ensure n8n runs as a non-root OS user with minimal filesystem and network permissions to limit blast radius from command injection.

What systems are affected by CVE-2026-21893?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, LLM orchestration pipelines, Workflow automation (AI-connected), Multi-agent systems, RAG pipelines, AI tool integrations, Model serving infrastructure (via connected credentials).

What is the CVSS score for CVE-2026-21893?

CVE-2026-21893 has a CVSS v3.1 base score of 7.2 (HIGH). The EPSS exploitation probability is 0.22%.

Technical Details

NVD Description

n8n is an open source workflow automation platform. From version 0.187.0 to before 1.120.3, a command injection vulnerability was identified in n8n’s community package installation functionality. The issue allowed authenticated users with administrative permissions to execute arbitrary system commands on the n8n host under specific conditions. This issue has been patched in version 1.120.3.

Exploitation Scenario

Attacker obtains n8n admin credentials via credential stuffing against exposed login page, or phishing a developer with admin access. Using the admin panel, attacker navigates to the community package installation feature and submits a crafted package name containing injected OS commands (e.g., a semicolon-delimited shell payload). n8n executes the injected command on the host with the privileges of the n8n process. Attacker establishes a reverse shell, then extracts all credentials stored in n8n workflow configurations — including LLM API keys, vector database connection strings, and internal service tokens. With these credentials, attacker now has lateral access to every system the AI agent orchestration layer was authorized to reach, potentially including production databases, internal APIs, and cloud infrastructure.

Weaknesses (CWE)

CWE-20 Primary CWE-78 Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
February 4, 2026
Last Modified
February 20, 2026
First Seen
February 4, 2026

Related Vulnerabilities

CRITICAL CVE-2026-33663 10.0

n8n: member role steals plaintext HTTP credentials

Same package: n8n
CRITICAL CVE-2026-33660 10.0

TensorFlow: type confusion NPD in tensor conversion

Same package: n8n
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same package: n8n
CRITICAL CVE-2026-27577 9.9

n8n: Code Injection enables RCE

Same package: n8n
CRITICAL CVE-2026-27494 9.9

n8n: security flaw enables exploitation

Same package: n8n
Back to Threat Feed