🛑 CRITICAL n8n BUG 🐛 Self-Hosters Please Read - 10/10 Security Risk

🔥

Hey friends!

Hope everyone's 2026 is off to a fantastic start. Sorry for posting this across multiple communities but it is a 10/10 security risk.

A serious vulnerability (CVE-2026-21858) was publicly disclosed this week affecting all n8n versions before 1.121.0.

⚠️ What you need to know:

- Severity: CVSS 10.0 (this is the HIGHEST it can be!!)

- Risk: Unauthenticated remote code execution via webhook endpoints

- Impact: Attackers can access your n8n instance without credentials, read files, execute code, and pivot to any connected systems (databases, APIs, cloud storage, CRMs, etc.)

🔍 How it works:

The vulnerability exploits how n8n handles Content-Type headers on webhooks. By manipulating these headers, attackers can overwrite internal variables and escalate to full system compromise.

🛠️ What to do:

1. Check your version: Settings > About (or n8n --version)

2. If below 1.121.0: Update immediately

3. n8n Cloud users: You should already be patched, but verify

🏠 Self-hosters - this one's especially for you:

Many of us in this community self-host n8n (myself included). That means our instances are often internet-exposed with webhook URLs accessible to the public. Unlike cloud users who get automatic updates, we're responsible for patching ourselves. If your instance is reachable from the internet and running an unpatched version, it's vulnerable right now.

🔑 Why this matters:

n8n typically holds keys to your entire stack - API tokens, OAuth credentials, database connections. A compromised instance means a compromised everything it touches.

The fix has been available since November 18, 2025. If you haven't updated in the past 2 months, do it now.

Stay safe out there! 🙏

Article to more information here: https://www.theregister.com/2026/01/08/n8n_rce_bug/

4 comments