National Computer Emergency Response Team (National CERT) has issued an urgent advisory alerting organizations to a severe remote code execution vulnerability in the open-source workflow automation platform n8n. Identified as CVE-2026-21858, the flaw carries a maximum CVSS score of 10.0, enabling unauthenticated attackers to execute arbitrary commands and gain full control of affected systems remotely. The vulnerability arises from improper input validation and insufficient authorization checks in exposed components of the n8n platform, making exploitation highly accessible without user interaction or authentication.
According to National CERT, organizations operating vulnerable n8n instances face an immediate risk of total system compromise. Attackers leveraging this flaw could manipulate or delete workflows, steal stored credentials including API keys and tokens, and exfiltrate sensitive business data. Compromised workflows may also be used for lateral movement across connected systems, posing heightened supply chain risks for partners and downstream services. The advisory underscores the criticality of rapid patching and immediate mitigation measures to prevent attackers from exploiting this easily accessible vulnerability.
This advisory follows a series of critical vulnerabilities discovered in n8n over the past two weeks, including CVE-2025-60613, CVE-2025-68613, and CVE-2026-21877, indicating sustained interest from threat actors in targeting the platform. National CERT confirmed that versions prior to 1.121.0 are vulnerable, while some configurations up to version 1.121.3 may still remain at risk if not properly secured. Organizations are urged to upgrade to n8n version 1.121.0 or later, with 1.121.3 recommended where applicable, while also rotating all credentials and secrets, reviewing audit logs for signs of unauthorized activity, restricting network access to exposed instances, and implementing continuous monitoring and hardening practices.
Cybersecurity experts note that the vulnerability represents a particularly high risk due to the combination of unauthenticated access and full system control. Exploitation could allow attackers to manipulate critical business workflows, disrupt operational processes, and access sensitive data across multiple connected systems. The advisory emphasizes treating the situation as an emergency patching event and highlights the importance of implementing proactive security controls and monitoring for any anomalous activity in n8n environments. Organizations relying on the platform are urged to prioritize immediate remediation to safeguard both internal operations and broader ecosystem security.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
