Executive Summary
In January 2026, a critical supply-chain vulnerability (CVE-2026-21858, CVSS 10.0) was disclosed in n8n, a widely used open-source workflow automation tool. This unauthenticated remote code execution flaw enables attackers to fully compromise vulnerable self-hosted instances, potentially taking control of exposed servers across an estimated 100,000 global installations. The vulnerability is present in n8n versions between 1.65.0 and 1.120.4. No official mitigations or workarounds exist; remediation requires upgrading to version 1.121.0 or later. Attackers exploiting this bug could gain persistent access, manipulate workflows, or use impacted servers for further lateral movement and supply-chain attacks.
This incident highlights a growing trend of attackers targeting automation and orchestration platforms as initial entry points. The rapid exploitation window, lack of mitigations, and broad exposure emphasize the urgent need for organizations to prioritize patching and review their supply-chain and workflow application security.
Why This Matters Now
With no available workaround and active exploitation reported, organizations using older n8n versions face heightened risk of systemic compromise. This vulnerability exemplifies how supply-chain weak points in automation tools can disrupt operations and expose sensitive data, making immediate patching essential for operational resilience and regulatory compliance.
Attack Path Analysis
Attackers exploited a critical unauthenticated remote code execution vulnerability (CVE-2026-21858) in locally deployed n8n instances to gain initial access. Upon entry, they elevated privileges by executing code with system-level permissions due to inadequate segmentation or container isolation. The attackers then moved laterally to discover and compromise adjacent workloads within the same cloud or on-prem environment. Next, a command and control channel was established to maintain persistence and remotely control compromised hosts. Sensitive data was exfiltrated using covert or direct outbound connections. Finally, the attackers could disrupt business operations or deploy ransomware, impacting affected organizations.
Kill Chain Progression
Initial Compromise
Description
Threat actors exploited CVE-2026-21858, an unauthenticated remote code execution vulnerability in n8n, to gain unauthorized access to locally deployed server instances.
Related CVEs
CVE-2026-21858
CVSS 10An improper input validation vulnerability in n8n versions 1.65.0 through 1.120.4 allows unauthenticated remote attackers to access files on the underlying server through execution of certain form-based workflows.
Affected Products:
n8n.io n8n – 1.65.0 through 1.120.4
Exploit Status:
proof of conceptCVE-2025-49592
CVSS 4.6An open redirect vulnerability in n8n versions prior to 1.98.0 allows authenticated users to be redirected to untrusted, attacker-controlled domains after logging in, potentially leading to phishing attacks.
Affected Products:
n8n.io n8n – < 1.98.0
Exploit Status:
no public exploitCVE-2025-52478
CVSS 6.1A stored cross-site scripting (XSS) vulnerability in n8n versions 1.77.0 to before 1.98.2 allows authenticated attackers to inject malicious HTML via the Form Trigger node's HTML form element, potentially leading to account takeover.
Affected Products:
n8n.io n8n – 1.77.0 to < 1.98.2
Exploit Status:
no public exploitCVE-2026-21877
CVSS 9.8An authenticated remote code execution vulnerability in n8n versions 0.121.2 and below allows attackers to execute malicious code using the n8n service, potentially resulting in full system compromise.
Affected Products:
n8n.io n8n – <= 0.121.2
Exploit Status:
no public exploitCVE-2025-62726
CVSS 9.8A remote code execution vulnerability in the Git Node component of n8n versions prior to 1.113.0 allows attackers to execute arbitrary code within the n8n environment by exploiting pre-commit hooks in cloned repositories.
Affected Products:
n8n.io n8n – < 1.113.0
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
The above MITRE ATT&CK techniques are derived from the critical RCE supply-chain vulnerability context in n8n and can be extended with full STIX/TAXII enrichment as required.
Exploit Public-Facing Application
Command and Scripting Interpreter
Valid Accounts
Exploitation for Privilege Escalation
Modify Authentication Process
Exploitation of Remote Services
Resource Hijacking
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security of Public-Facing Applications
Control ID: 6.2.4
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management - Identification and Protection
Control ID: Article 9(2)
CISA ZTMM 2.0 – Asset and Device Management - Patch Management
Control ID: 1.1.3
NIS2 Directive – Supply Chain Security
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Information Technology/IT
Critical n8n vulnerability enables remote code execution on automation platforms, requiring immediate patching to prevent supply-chain compromise of IT infrastructure.
Computer Software/Engineering
CVE-2026-21858 exposes workflow automation tools to unauthenticated takeover, threatening development pipelines and requiring zero trust segmentation controls.
Financial Services
N8n supply-chain vulnerability risks data exfiltration from automated financial workflows, demanding egress security enforcement and encrypted traffic protection.
Health Care / Life Sciences
Automation platform compromise threatens HIPAA compliance through lateral movement risks, necessitating immediate patching and east-west traffic security implementation.
Sources
- New Vulnerability in n8nhttps://www.schneier.com/blog/archives/2026/01/new-vulnerability-in-n8n.htmlVerified
- CVE-2026-21858 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2026-21858Verified
- Security Advisory: Security Vulnerability in n8n Versions 1.65-1.120.4https://community.n8n.io/t/security-advisory-security-vulnerability-in-n8n-versions-1-65-1-120-4/247305Verified
- n8n Supply Chain Attack Abuses Community Nodes to Steal OAuth Tokenshttps://thehackernews.com/2026/01/n8n-supply-chain-attack-abuses.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust controls such as microsegmentation, east-west traffic monitoring, and egress enforcement would have significantly limited the attack's progression—containing movement, detecting anomalies, and blocking data exfiltration even after exploitation of the n8n vulnerability.
Control: Cloud Firewall (ACF)
Mitigation: Prevents exploitation by blocking unauthorized inbound access to vulnerable services.
Control: Kubernetes Security (AKF)
Mitigation: Limits privilege escalation within containerized environments via pod-to-pod identity enforcement.
Control: East-West Traffic Security
Mitigation: Blocks unauthorized workload-to-workload traffic and lateral movement.
Control: Inline IPS (Suricata)
Mitigation: Detects and blocks malicious outbound C2 traffic in real time.
Control: Egress Security & Policy Enforcement
Mitigation: Prevents sensitive data from leaving the environment via restricted outbound filtering.
Detects abnormal activity and triggers incident response workflows to curtail further damage.
Impact at a Glance
Affected Business Functions
- Workflow Automation
- Data Processing
Estimated downtime: 3 days
Estimated loss: $50,000
Potential unauthorized access to sensitive information stored in n8n instances, including workflow data and connected credentials.
Recommended Actions
Key Takeaways & Next Steps
- • Immediately upgrade all n8n instances to version 1.121.0 or later to address the RCE vulnerability.
- • Enforce strict cloud firewall policies to minimize public access and reduce the initial attack surface on critical services.
- • Implement east-west microsegmentation and Kubernetes network policies to contain lateral movement and privilege escalation.
- • Activate egress filtering and inline IPS inspection to detect, block, and alert on unauthorized outbound traffic and C2 activity.
- • Continuously monitor for behavioral anomalies and ensure rapid, automated incident response to mitigate impact from future supply-chain or RCE threats.
