CVE-2026-21877
9.9
Git Hooked: RCE in n8n's Git Node
Amit Schendel
Senior Security ResearcherJan 7, 2026·6 min read·72 visits
PoC Available
Executive Summary (TL;DR)
n8n's Git node failed to block writes to the `.git/hooks` directory. Authenticated attackers could use this to write a malicious `pre-commit` hook and trigger it, achieving Remote Code Execution (RCE) on the host server with the privileges of the n8n process.
A critical RCE vulnerability in the n8n workflow automation platform allows authenticated users to execute arbitrary code by manipulating the Git node to write malicious hooks into the repository's `.git` directory.
Official Patches
Technical Appendix
CVSS Score
9.9/ 10
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HAffected Systems
n8n workflow automation platform < 1.121.3
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
n8n n8n | < 1.121.3 | 1.121.3 |
| Attribute | Detail |
|---|---|
| CWE | CWE-94 (Code Injection) / CWE-22 (Path Traversal) |
| CVSS v3.1 | 9.9 (Critical) |
| Attack Vector | Network (Authenticated) |
| Privileges Required | Low (User capable of editing workflows) |
| Impact | Remote Code Execution (RCE) |
| Status | Patched (v1.121.3) |
MITRE ATT&CK Mapping
CWE-94
Code Injection
Improper Control of Generation of Code ('Code Injection')
Known Exploits & Detection
Vulnerability Timeline
n8n version 1.121.3 released with fix
2025-11-26
CVE-2026-21877 Published
2026-01-06