GHSA-v364-rw7m-3263
Suggest an improvement- Source
- https://github.com/advisories/GHSA-v364-rw7m-3263
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-v364-rw7m-3263/GHSA-v364-rw7m-3263.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-v364-rw7m-3263
- Aliases
- Published
- 2026-01-06T17:48:24Z
- Modified
- 2026-01-06T18:11:17.805334Z
- Severity
-
- 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- n8n Vulnerable to RCE via Arbitrary File Write
- Details
-
Impact
n8n is affected by an authenticated Remote Code Execution (RCE) vulnerability.
Under certain conditions, an authenticated user may be able to cause untrusted code to be executed by the n8n service. This could result in full compromise of the affected instance.
Both self-hosted and n8n Cloud instances are impacted.
Patches
The issue has been resolved in n8n version 1.121.3.
Users are advised to upgrade to this version or later to fully address the vulnerability.
Workarounds
If upgrading is not immediately possible, administrators can reduce exposure by disabling the Git node and limiting access for untrusted users.
References
- n8n documentation: Blocking access to nodes
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-01-06T17:48:24Z", "severity": "CRITICAL", "nvd_published_at": null, "cwe_ids": [ "CWE-434" ] }- References
Affected packages
npm / n8n
Package
- Name
- n8n
- View open source insights on deps.dev
- Purl
- pkg:npm/n8n