CVE-2026-21893

HIGH

NPM N8n < 1.120.3 - OS Command Injection

Title source: rule

Description

n8n is an open source workflow automation platform. From version 0.187.0 to before 1.120.3, a command injection vulnerability was identified in n8n’s community package installation functionality. The issue allowed authenticated users with administrative permissions to execute arbitrary system commands on the n8n host under specific conditions. This issue has been patched in version 1.120.3.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/n8n-io/n8n/security/advisories/GHSA-7c4h-vh2m-743m

Patch x_refsource_misc

https://github.com/n8n-io/n8n/commit/ae0669a736cc496beeb296e115267862727ae838

View Patch ZIP pw:eip

Scores

CVSS v3 7.2

EPSS 0.0134

EPSS Percentile 67.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-20 CWE-78

Status published

Products (2)

n8n/n8n 0.187.0 - 1.120.3

npm/n8n 0.187.0 - 1.120.3npm

Published Feb 04, 2026

Tracked Since Feb 18, 2026