10d (edited) โข General discussion
๐ CRITICAL n8n BUG ๐ Self-Hosters Please Read - 10/10 Security Risk
Hey friends!
Hope everyone's 2026 is off to a fantastic start. Sorry for posting this across multiple communities but it is a 10/10 security risk.
A serious vulnerability (CVE-2026-21858) was publicly disclosed this week affecting all n8n versions before 1.121.0.
โ ๏ธ What you need to know:
- Severity: CVSS 10.0 (this is the HIGHEST it can be!!)
- Risk: Unauthenticated remote code execution via webhook endpoints
- Impact: Attackers can access your n8n instance without credentials, read files, execute code, and pivot to any connected systems (databases, APIs, cloud storage, CRMs, etc.)
๐ How it works:
The vulnerability exploits how n8n handles Content-Type headers on webhooks. By manipulating these headers, attackers can overwrite internal variables and escalate to full system compromise.
๐ ๏ธ What to do:
1. Check your version: Settings > About (or n8n --version)
2. If below 1.121.0: Update immediately
3. n8n Cloud users: You should already be patched, but verify
๐ Why this matters:
n8n typically holds keys to your entire stack - API tokens, OAuth credentials, database connections. A compromised instance means a compromised everything it touches.
The fix has been available since November 18, 2025 but there has been a surge of articles published about this issue the last couple days. If you have an old n8n instance running, make sure you update the version!
Stay safe out there! ๐
Article to more information here: https://www.theregister.com/2026/01/08/n8n_rce_bug/
9
12 comments
๐ CRITICAL n8n BUG ๐ Self-Hosters Please Read - 10/10 Security Risk
powered by
skool.com/ai-automation-academy-7013
We focus on building practical AI agents and automations you can actually use in your business.
Suggested communities
Powered by