AI Threat Alert

CVE-2026-21893: n8n: Input Validation flaw enables exploitation

HIGH
Published February 4, 2026
CISO Take

n8n is the de facto glue layer for AI agent workflows in many organizations, making this command injection especially dangerous: a single compromised admin account escalates to full host RCE. If you're running n8n for AI orchestration, patch to 1.120.3 immediately. Audit admin account access and rotate all credentials stored in n8n workflows — LLM API keys, database passwords, and webhook secrets are all at risk.

What is the risk?

HIGH risk despite the PR:H (admin-only) requirement. n8n admins routinely store credentials to LLM APIs, databases, SaaS tools, and internal services — full host RCE means total credential harvest. Attack complexity is low once admin access is obtained via phishing, credential stuffing, or insider threat. Organizations deploying n8n as an AI agent orchestration hub face disproportionate blast radius versus a typical web app vulnerability: the n8n process often has broad network access to production systems.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
n8n npm No patch
193.4K OpenSSF 6.6 Pushed 3d ago 54% patched ~7d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1
7.2 / 10
EPSS
1.3%
chance of exploitation in 30 days
Higher than 68% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR High
UI None
S Unchanged
C High
I High
A High

What should I do?

6 steps

  1. PATCH

    Upgrade n8n to version 1.120.3 immediately — no workaround available for versions 0.187.0 through 1.120.2.

  2. AUDIT

    Review all admin-level accounts in n8n; enforce MFA on every admin account and rotate credentials.

  3. NETWORK

    Restrict n8n admin interface to internal networks or VPN only — do not expose admin UI to the public internet.

  4. SECRETS ROTATION

    Rotate all API keys and credentials stored in n8n workflows as a precautionary measure for any instance that may have been exposed.

  5. DETECT

    Monitor n8n host for unexpected child process spawning from the n8n process, outbound connections on non-standard ports, and anomalous package installation events in application logs.

  6. LEAST PRIVILEGE

    Ensure n8n runs as a non-root OS user with minimal filesystem and network permissions to limit blast radius from command injection.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Social Engineering Agent RAG API AML.T0011.001 AML.T0012 AML.T0025 AML.T0049 AML.T0050 AML.T0053 AML.T0072 AML.T0081 AML.T0083 AML.T0085.001

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
A.6.1.2 - Segregation of duties A.6.2.6 - AI system configuration and change management A.9.2 - AI system security
NIST AI RMF
GOVERN 1.2 - Policies, processes, procedures are in place GOVERN 1.7 - Processes and procedures are in place for AI lifecycle management MANAGE 2.2 - Mechanisms are in place to sustain the value of deployed AI systems
OWASP LLM Top 10
LLM05 - Supply Chain Vulnerabilities LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-21893?

n8n is the de facto glue layer for AI agent workflows in many organizations, making this command injection especially dangerous: a single compromised admin account escalates to full host RCE. If you're running n8n for AI orchestration, patch to 1.120.3 immediately. Audit admin account access and rotate all credentials stored in n8n workflows — LLM API keys, database passwords, and webhook secrets are all at risk.

Is CVE-2026-21893 actively exploited?

No confirmed active exploitation of CVE-2026-21893 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-21893?

1. PATCH: Upgrade n8n to version 1.120.3 immediately — no workaround available for versions 0.187.0 through 1.120.2. 2. AUDIT: Review all admin-level accounts in n8n; enforce MFA on every admin account and rotate credentials. 3. NETWORK: Restrict n8n admin interface to internal networks or VPN only — do not expose admin UI to the public internet. 4. SECRETS ROTATION: Rotate all API keys and credentials stored in n8n workflows as a precautionary measure for any instance that may have been exposed. 5. DETECT: Monitor n8n host for unexpected child process spawning from the n8n process, outbound connections on non-standard ports, and anomalous package installation events in application logs. 6. LEAST PRIVILEGE: Ensure n8n runs as a non-root OS user with minimal filesystem and network permissions to limit blast radius from command injection.

What systems are affected by CVE-2026-21893?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, LLM orchestration pipelines, Workflow automation (AI-connected), Multi-agent systems, RAG pipelines, AI tool integrations, Model serving infrastructure (via connected credentials).

What is the CVSS score for CVE-2026-21893?

CVE-2026-21893 has a CVSS v3.1 base score of 7.2 (HIGH). The EPSS exploitation probability is 1.34%.

What is the AI security impact?

Affected AI Architectures

AI agent frameworksLLM orchestration pipelinesWorkflow automation (AI-connected)Multi-agent systemsRAG pipelinesAI tool integrationsModel serving infrastructure (via connected credentials)

MITRE ATLAS Techniques

AML.T0011.001 Malicious Package
AML.T0012 Valid Accounts
AML.T0025 Exfiltration via Cyber Means
AML.T0049 Exploit Public-Facing Application
AML.T0050 Command and Scripting Interpreter
AML.T0053 AI Agent Tool Invocation
AML.T0072 Reverse Shell
AML.T0081 Modify AI Agent Configuration
AML.T0083 Credentials from AI Agent Configuration
AML.T0085.001 AI Agent Tools

Compliance Controls Affected

EU AI Act: Article 15, Article 9
ISO 42001: A.6.1.2, A.6.2.6, A.9.2
NIST AI RMF: GOVERN 1.2, GOVERN 1.7, MANAGE 2.2
OWASP LLM Top 10: LLM05, LLM08

What are the technical details?

Original Advisory

n8n is an open source workflow automation platform. From version 0.187.0 to before 1.120.3, a command injection vulnerability was identified in n8n’s community package installation functionality. The issue allowed authenticated users with administrative permissions to execute arbitrary system commands on the n8n host under specific conditions. This issue has been patched in version 1.120.3.

Exploitation Scenario

Attacker obtains n8n admin credentials via credential stuffing against exposed login page, or phishing a developer with admin access. Using the admin panel, attacker navigates to the community package installation feature and submits a crafted package name containing injected OS commands (e.g., a semicolon-delimited shell payload). n8n executes the injected command on the host with the privileges of the n8n process. Attacker establishes a reverse shell, then extracts all credentials stored in n8n workflow configurations — including LLM API keys, vector database connection strings, and internal service tokens. With these credentials, attacker now has lateral access to every system the AI agent orchestration layer was authorized to reach, potentially including production databases, internal APIs, and cloud infrastructure.

Weaknesses (CWE)

CWE-20 Improper Input Validation Primary CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Primary

CWE-20 — Improper Input Validation: The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

  • [Architecture and Design] Consider using language-theoretic security (LangSec) techniques that characterize inputs using a formal language and build "recognizers" for that language. This effectively requires parsing to be a distinct layer that effectively enforces a boundary between raw input and internal data representations, instead of allowing parser code to be scattered throughout the program, where it could be subject to errors or inconsistencies that create weaknesses. [REF-1109] [REF-1110] [REF-1111]
  • [Architecture and Design] Use an input validation framework such as Struts or the OWASP ESAPI Validation API. Note that using a framework does not automatically address all input validation problems; be mindful of weaknesses that could arise from misusing the framework itself (CWE-1173).

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
February 4, 2026
Last Modified
February 20, 2026
First Seen
February 4, 2026

Related Vulnerabilities

CRITICAL CVE-2026-33663 10.0

n8n: member role steals plaintext HTTP credentials

Same package: n8n
CRITICAL CVE-2026-33660 10.0

TensorFlow: type confusion NPD in tensor conversion

Same package: n8n
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same package: n8n
CRITICAL CVE-2026-27577 9.9

n8n: Code Injection enables RCE

Same package: n8n
CRITICAL CVE-2026-27494 9.9

n8n: security flaw enables exploitation

Same package: n8n
Back to Threat Feed