AI Threat Alert

CVE-2026-21893

HIGH
Published February 4, 2026
CISO Take

n8n is the de facto glue layer for AI agent workflows in many organizations, making this command injection especially dangerous: a single compromised admin account escalates to full host RCE. If you're running n8n for AI orchestration, patch to 1.120.3 immediately. Audit admin account access and rotate all credentials stored in n8n workflows — LLM API keys, database passwords, and webhook secrets are all at risk.

Affected Systems

Package Ecosystem Vulnerable Range Patched
n8n npm No patch

Do you use n8n? You're affected.

Severity & Risk

CVSS 3.1
7.2 / 10
EPSS
N/A
KEV Status
Not in KEV
Sophistication
Trivial

Recommended Action

  1. 1. PATCH: Upgrade n8n to version 1.120.3 immediately — no workaround available for versions 0.187.0 through 1.120.2. 2. AUDIT: Review all admin-level accounts in n8n; enforce MFA on every admin account and rotate credentials. 3. NETWORK: Restrict n8n admin interface to internal networks or VPN only — do not expose admin UI to the public internet. 4. SECRETS ROTATION: Rotate all API keys and credentials stored in n8n workflows as a precautionary measure for any instance that may have been exposed. 5. DETECT: Monitor n8n host for unexpected child process spawning from the n8n process, outbound connections on non-standard ports, and anomalous package installation events in application logs. 6. LEAST PRIVILEGE: Ensure n8n runs as a non-root OS user with minimal filesystem and network permissions to limit blast radius from command injection.

Classification

Code Execution Social Engineering Agent RAG API AML.T0011.001 AML.T0012 AML.T0025 AML.T0049 AML.T0050 AML.T0053 AML.T0072 AML.T0081 AML.T0083 AML.T0085.001

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
A.6.1.2 - Segregation of duties A.6.2.6 - AI system configuration and change management A.9.2 - AI system security
NIST AI RMF
GOVERN 1.2 - Policies, processes, procedures are in place GOVERN 1.7 - Processes and procedures are in place for AI lifecycle management MANAGE 2.2 - Mechanisms are in place to sustain the value of deployed AI systems
OWASP LLM Top 10
LLM05 - Supply Chain Vulnerabilities LLM08 - Excessive Agency

Technical Details

NVD Description

n8n is an open source workflow automation platform. From version 0.187.0 to before 1.120.3, a command injection vulnerability was identified in n8n’s community package installation functionality. The issue allowed authenticated users with administrative permissions to execute arbitrary system commands on the n8n host under specific conditions. This issue has been patched in version 1.120.3.

Exploitation Scenario

Attacker obtains n8n admin credentials via credential stuffing against exposed login page, or phishing a developer with admin access. Using the admin panel, attacker navigates to the community package installation feature and submits a crafted package name containing injected OS commands (e.g., a semicolon-delimited shell payload). n8n executes the injected command on the host with the privileges of the n8n process. Attacker establishes a reverse shell, then extracts all credentials stored in n8n workflow configurations — including LLM API keys, vector database connection strings, and internal service tokens. With these credentials, attacker now has lateral access to every system the AI agent orchestration layer was authorized to reach, potentially including production databases, internal APIs, and cloud infrastructure.

Weaknesses (CWE)

CWE-20 Primary CWE-78 Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
February 4, 2026
Last Modified
February 20, 2026
First Seen
February 4, 2026
Back to Threat Feed