CVE-2026-21893

Name of the Vulnerable Software and Affected Versions n8n versions 0.187.0 through 1.120.2

Description n8n is a workflow automation platform. A command injection issue was identified in the community package installation functionality. This allowed authenticated users with administrative permissions to execute arbitrary system commands on the n8n host under specific conditions. The issue was present in versions from 0.187.0 up to, but not including, 1.120.3. The vulnerability allows for potential privilege escalation from administrator to root. The vulnerable functionality involves the package installation process, lacking sufficient input sanitization.

Recommendations Update to version 1.120.3 or later.