Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-21893

n8n Vulnerable to Command Injection in Community Package Installation
Back to all
CVE

CVE-2026-21893

n8n Vulnerable to Command Injection in Community Package Installation

Impact

A Command Injection vulnerability was identified in n8n’s community package installation functionality. The issue allowed authenticated users with administrative permissions to execute arbitrary system commands on the n8n host under specific conditions.

Important context

  • Exploitation requires administrative access to the n8n instance.
  • The affected functionality is restricted to trusted users who are already permitted to install third-party community packages.
  • No unauthenticated or low-privilege exploitation is possible.
  • There is no evidence of exploitation in the wild.

Because administrative users can already extend n8n with custom or community code, the vulnerability does not meaningfully expand the threat model beyond existing administrator capabilities. However, it represents a violation of secure coding practices and has therefore been addressed.

Patches

Users are advised to upgrade to n8n version 1.120.3 or later, which fully resolves the issue.

As a general security best practice, n8n instance owners should ensure that:

  • Administrative access is limited to trusted users only.
  • Community packages are installed only from trusted sources.
  • Instances are kept up to date with the latest security releases.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
9.4
-
4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
C
H
U
7.2
-
3.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Related Resources

No items found.

References

https://github.com/n8n-io/n8n/security/advisories/GHSA-7c4h-vh2m-743m, https://nvd.nist.gov/vuln/detail/CVE-2026-21893, https://github.com/n8n-io/n8n/commit/ae0669a736cc496beeb296e115267862727ae838, https://github.com/n8n-io/n8n

Severity

7.2

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
7.2
EPSS Probability
0.00466%
EPSS Percentile
0.63931%
Introduced Version
0.187.0,1.109.0,1.106.0,1.58.0,1.57.0,1.11.0,1.6.0,0.219.0,0.202.0,0.189.0
Fix Available
1.120.3

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading