CVE-2026-21877: n8n arbitrary-file-write RCE
CVE-2026-21877 (n8n arbitrary-file-write RCE) is a remote code execution (arbitrary file write) vulnerability in n8n (npm). As of 2026-06-18 it carries a 5.3% probability of exploitation in the next 30 days (EPSS). It is fixed in 1.121.3 — if you depend on an earlier version, upgrade.
| Severity | High |
|---|---|
| CVSS vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
| EPSS (exploit probability, 30d) | 5.3% · 91th percentile |
| Vulnerability type | Remote Code Execution (arbitrary file write) |
| Affected package | n8n (npm) |
| Fixed in | 1.121.3 |
What is CVE-2026-21877?
n8n was vulnerable to remote code execution via arbitrary file write: an authenticated attacker could write files and run malicious code on the n8n service, fully compromising both self-hosted and cloud instances. Operators can reduce exposure by disabling the Git node and limiting access for untrusted users. Fixed in 1.121.3.
Is CVE-2026-21877 exploitable?
CVE-2026-21877 has an EPSS score of 5.3% (91th percentile), meaning a 5.3% probability of exploitation in the next 30 days. Its CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, which scores as High severity. It is a remote code execution (arbitrary file write) issue.
What is the EPSS score for CVE-2026-21877?
As of 2026-06-18, the EPSS exploit-prediction score for CVE-2026-21877 is 5.3% (91th percentile). EPSS estimates the probability that a vulnerability will be exploited in the wild within the next 30 days and is recomputed daily by FIRST.org.
How do I fix CVE-2026-21877?
Upgrade n8n to 1.121.3 or later. n8n was vulnerable to remote code execution via arbitrary file write: an authenticated attacker could write files and run malicious code on the n8n service, fully compromising both self-hosted and cloud instances. Operators can reduce exposure by disabling the Git node and limiting access for untrusted users. Fixed in 1.121.3.
Am I affected by CVE-2026-21877?
You are affected if your project (directly or transitively) depends on a vulnerable version of n8n in the npm ecosystem. Check your lockfile for the resolved version, or scan automatically with VulnFeed.
Check your own project automatically
Don't eyeball every dependency by hand. VulnFeed reads your lockfile, checks it against the same advisory data, and ranks findings by EPSS — free, no signup (10 scans/day):
curl -s https://vulnfeed-api.novadyne.ai/vulnscan/query \
-H 'content-type: application/json' \
-d '{"ecosystem":"npm","package":"PKG","version":"VERSION"}'
Or run it inside Claude Code with no API key — uvx vulnfeed-mcp — and just ask "scan this project for vulnerabilities."
Data sources: vulnerability metadata from OSV.dev and the National Vulnerability Database; exploit-probability (EPSS) from FIRST.org (recomputed daily; EPSS data shown here as of 2026-06-18). Page generated 2026-06-18.