CVE-2026-21877 Scanner (Version Based)

n8n is a popular open-source workflow automation platform designed for technical teams to connect various applications and automate tasks. It is widely used by organizations worldwide to streamline business processes, integrate APIs, and create complex automation workflows. The platform supports both self-hosted deployments and cloud-based instances through n8n Cloud. Development teams and DevOps professionals commonly use n8n to automate CI/CD pipelines, data synchronization, and notification systems. The platform provides a visual interface for building workflows, making it accessible to both developers and non-technical users. n8n integrates with hundreds of services including databases, cloud storage providers, communication tools, and enterprise applications.

CVE-2026-21877 is a critical authenticated remote code execution vulnerability affecting n8n workflow automation platform. The vulnerability exists in the Git node functionality, which allows attackers to perform arbitrary file write operations on the server. An authenticated user can exploit this flaw to overwrite critical system files and execute malicious code with the privileges of the n8n service. The vulnerability has been assigned the maximum CVSS score of 10.0, indicating its severe impact potential. Both self-hosted installations and n8n Cloud instances are affected by this security flaw. Successful exploitation can lead to complete takeover of the n8n instance and all connected integrations.

The vulnerability resides in the Git node component of n8n, which handles Git repository operations within workflows. Attackers with valid authentication credentials can craft malicious requests that abuse the file handling mechanism of the Git node. The vulnerable endpoint allows writing files to arbitrary locations on the server filesystem without proper path validation. By exploiting this arbitrary file write capability, attackers can overwrite configuration files, inject malicious scripts, or replace executable binaries. The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). Successful exploitation requires authentication but no additional privileges beyond basic user access.

Exploitation of this vulnerability can lead to complete system compromise with access to all stored credentials, API tokens, and OAuth secrets. Attackers can gain full control over the n8n instance and all connected systems through workflow automation capabilities. Database connections and cloud storage credentials configured in n8n become accessible to the attacker. The compromised instance can be used as a pivot point to attack other internal systems and services. Sensitive workflow data, including business logic and integration configurations, may be exposed or modified. Organizations may face data breaches, service disruptions, and potential regulatory compliance violations.

REFERENCES

• https://nvd.nist.gov/vuln/detail/CVE-2026-21877
• https://github.com/advisories/GHSA-v364-rw7m-3263