Jan 7, 2026·6 min read·72 visits
n8n's Git node failed to block writes to the `.git/hooks` directory. Authenticated attackers could use this to write a malicious `pre-commit` hook and trigger it, achieving Remote Code Execution (RCE) on the host server with the privileges of the n8n process.
A critical RCE vulnerability in the n8n workflow automation platform allows authenticated users to execute arbitrary code by manipulating the Git node to write malicious hooks into the repository's `.git` directory.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H| Product | Affected Versions | Fixed Version |
|---|---|---|
n8n n8n | < 1.121.3 | 1.121.3 |
| Attribute | Detail |
|---|---|
| CWE | CWE-94 (Code Injection) / CWE-22 (Path Traversal) |
| CVSS v3.1 | 9.9 (Critical) |
| Attack Vector | Network (Authenticated) |
| Privileges Required | Low (User capable of editing workflows) |
| Impact | Remote Code Execution (RCE) |
| Status | Patched (v1.121.3) |
Improper Control of Generation of Code ('Code Injection')