Description
n8n is an open source workflow automation platform. From version 0.187.0 to before 1.120.3, a command injection vulnerability was identified in n8n’s community package installation functionality. The issue allowed authenticated users with administrative permissions to execute arbitrary system commands on the n8n host under specific conditions. This issue has been patched in version 1.120.3.
Published: 2026-02-04
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Command Execution
Action: Immediate Patch
AI Analysis

Impact

n8n, a workflow automation platform, contains a command‑injection flaw in its community package installation routine. The flaw arises because user‑supplied package names are passed directly to the operating‑system shell without adequate validation, allowing an attacker who can authenticate as an administrator to run arbitrary system commands. This vulnerability compromises confidentiality, integrity, and availability of the host system and aligns with CWE‑20 (Improper Input Validation) and CWE‑78 (OS Command Injection).

Affected Systems

Versions of n8n from 0.187.0 up to, but not including, 1.120.3 are affected. Any deployment that enables community package installation and grants administrative privileges to users is vulnerable because the flaw exists regardless of the overall deployment size or network exposure.

Risk and Exploitability

The CVSS base score of 9.4 marks this as critical. With an EPSS score of less than 1%, the probability of a successful exploit is currently low, but the lack of presence in the CISA KEV catalog and the requirement for authenticated administrative access mean that a compromised account can achieve full host compromise. Attackers would initiate a package installation via the web interface or API, supply malicious input, and have the system execute the payload with administrative privileges.

Generated by OpenCVE AI on April 18, 2026 at 13:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade n8n to version 1.120.3 or later to receive the vendor patch that sanitizes package names.
  • Disable the community package installation feature or enforce a strict whitelist of approved packages so that untrusted package names never reach the shell.
  • Restrict administrative privileges to the minimum necessary users and routinely review roles to ensure only trusted accounts can initiate package installations.
  • Monitor system logs for unexpected command execution or anomalous package installation attempts to detect potential exploitation early.

Generated by OpenCVE AI on April 18, 2026 at 13:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7c4h-vh2m-743m n8n Vulnerable to Command Injection in Community Package Installation
History

Fri, 20 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Thu, 05 Feb 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared N8n
N8n n8n
Vendors & Products N8n
N8n n8n

Wed, 04 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 18:00:00 +0000

Type Values Removed Values Added
Description n8n is an open source workflow automation platform. From version 0.187.0 to before 1.120.3, a command injection vulnerability was identified in n8n’s community package installation functionality. The issue allowed authenticated users with administrative permissions to execute arbitrary system commands on the n8n host under specific conditions. This issue has been patched in version 1.120.3.
Title n8n Vulnerable to Command Injection in Community Package Installation
Weaknesses CWE-20
CWE-78
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

N8n N8n
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-04T19:33:50.547Z

Reserved: 2026-01-05T17:24:36.929Z

Link: CVE-2026-21893

cve-icon Vulnrichment

Updated: 2026-02-04T19:33:31.179Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T18:16:08.410

Modified: 2026-02-20T17:07:21.170

Link: CVE-2026-21893

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T14:00:02Z

Weaknesses