Description
n8n is an open source workflow automation platform. From version 0.187.0 to before 1.120.3, a command injection vulnerability was identified in n8n’s community package installation functionality. The issue allowed authenticated users with administrative permissions to execute arbitrary system commands on the n8n host under specific conditions. This issue has been patched in version 1.120.3.
Published: 2026-02-04
Score: 9.4 Critical
EPSS: 1.3% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

n8n, an open-source workflow automation platform, contains a command-injection flaw in its community package installation routine. The vulnerability allows an attacker who can authenticate with administrative privileges to run arbitrary system commands on the host machine. This flaw could be exploited by sending a specially crafted package name to the installation endpoint, resulting in full compromise of confidentiality, integrity, and availability of the server.

Affected Systems

Vulnerable versions range from 0.187.0 up to, but not including, 1.120.3. The flaw exists only when the community package installation feature is enabled and users possessing administrative permissions are able to submit package names. Any deployment of the affected n8n version that meets these conditions is therefore at risk.

Risk and Exploitability

The base CVSS score of 9.4 labels this issue as critical. The EPSS score of 1.3% (0.01343) indicates a very low but nonzero probability of automated exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Attackers need only an authenticated administrative account to inject a malicious command; once they have that, they can execute arbitrary commands on the host. Because the command is passed directly to the operating-system shell, the influence of the vulnerability is immediate and comprehensive.

Generated by OpenCVE AI on June 18, 2026 at 11:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to n8n 1.120.3 or later, which sanitizes package names and removes the injection path.
  • Disable the community package installation feature if not required, or enforce a strict whitelist of approved packages so that untrusted input never reaches the underlying shell.
  • Limit administrative privileges to the minimum necessary users and periodically audit roles to ensure that only trusted accounts can initiate package installations.
  • Monitor logs for unusual package installation requests or unexpected command execution to detect exploitation attempts early.

Generated by OpenCVE AI on June 18, 2026 at 11:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7c4h-vh2m-743m n8n Vulnerable to Command Injection in Community Package Installation
History

Fri, 20 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Thu, 05 Feb 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared N8n
N8n n8n
Vendors & Products N8n
N8n n8n

Wed, 04 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 18:00:00 +0000

Type Values Removed Values Added
Description n8n is an open source workflow automation platform. From version 0.187.0 to before 1.120.3, a command injection vulnerability was identified in n8n’s community package installation functionality. The issue allowed authenticated users with administrative permissions to execute arbitrary system commands on the n8n host under specific conditions. This issue has been patched in version 1.120.3.
Title n8n Vulnerable to Command Injection in Community Package Installation
Weaknesses CWE-20
CWE-78
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

N8n N8n
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-04T19:33:50.547Z

Reserved: 2026-01-05T17:24:36.929Z

Link: CVE-2026-21893

cve-icon Vulnrichment

Updated: 2026-02-04T19:33:31.179Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T18:16:08.410

Modified: 2026-06-17T10:19:06.217

Link: CVE-2026-21893

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T11:15:03Z

Weaknesses
  • CWE-20

    Improper Input Validation

  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')