CVE-2026-21877

CRITICAL NUCLEI LAB

n8n 0.123.0-1.121.2 - Authenticated Remote Code Execution via Git Node

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-21877. PoCs published by monkeontheroof, CVEs-Labs. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-21877, demonstrating a reverse shell payload executed via a Node.js script. The exploit uses a FIFO pipe and netcat to establish a reverse shell connection to an attacker-controlled server.

Description

n8n is an open source workflow automation platform. In versions 0.121.2 and below, an authenticated attacker may be able to execute malicious code using the n8n service. This could result in full compromise and can impact both self-hosted and n8n Cloud instances. This issue is fixed in version 1.121.3. Administrators can reduce exposure by disabling the Git node and limiting access for untrusted users, but upgrading to the latest version is recommended.

Exploits (2)

github WORKING POC

by monkeontheroof · poc

https://github.com/monkeontheroof/cve-2026-21877-rce

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-21877, demonstrating a reverse shell payload executed via a Node.js script. The exploit uses a FIFO pipe and netcat to establish a reverse shell connection to an attacker-controlled server.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Unknown (Node.js-based application)

No auth needed

Prerequisites: Network connectivity to attacker's server · Vulnerable Node.js application

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 26, 2026 Full analysis →

nomisec WORKING POC

by CVEs-Labs · poc

https://github.com/CVEs-Labs/CVE-2026-21877

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-21877, targeting a command injection vulnerability in n8n workflow automation. The exploit sends a malicious payload to a custom webhook endpoint, achieving remote code execution (RCE) on the target system.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: n8n workflow automation (latest version as of 2026)

No auth needed

Prerequisites: Target system running n8n with a vulnerable webhook endpoint · Network access to the target system

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 23, 2026 Full analysis →

Nuclei Templates (1)

n8n >= 0.123.0 and < 1.121.3 - Remote Code Execution

CRITICALVERIFIEDby s4e-io

Shodan: http.favicon.hash:-831756631

FOFA: icon_hash="-831756631"

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/n8n-io/n8n/security/advisories/GHSA-v364-rw7m-3263

Patch x_refsource_misc

https://github.com/n8n-io/n8n/commit/f4b009d00d1f4ba9359b8e8f1c071e3d910a55f6

View Patch ZIP pw:eip

Scores

CVSS v3 9.9

EPSS 0.0590

EPSS Percentile 90.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Lab Environment

COMMUNITY

Community Lab

docker pull n8nio/n8n:latest

https://github.com/n8n-io/n8n

https://github.com/CVEs-Labs/CVE-2026-21877

https://github.com/monkeontheroof/cve-2026-21877-rce

View in Library

Details

CWE

CWE-434 CWE-94

Status published

Products (2)

n8n/n8n 0.123.0 - 1.121.3

npm/n8n 0.123.0 - 1.121.3npm

Published Jan 08, 2026

Tracked Since Feb 18, 2026