Pakistan’s National Cyber Emergency Response Team (National CERT) has issued an urgent warning about a critical flaw in n8n, a popular open-source workflow automation platform. The vulnerability, identified as CVE-2026-21858, carries the maximum CVSS severity score of 10.0. It allows attackers to execute commands remotely without authentication, potentially giving them full control over affected systems.
The advisory (NCA-02.130126) explains that the flaw arises from poor input validation and missing authorization checks in exposed n8n components. Exploiting it requires no user interaction, can be performed entirely over the network, and has very low attack complexity. CERT highlights that this makes systems running vulnerable versions exceptionally exposed.
If exploited, CVE-2026-21858 enables attackers to run arbitrary commands on the server hosting n8n. This could lead to complete system compromise and a wide range of security risks. CERT warns that attackers could:
Because n8n is widely used to automate critical business processes, a single compromised instance could disrupt operations and threaten security across connected systems.
CERT notes that CVE-2026-21858 is not an isolated issue. It follows several high-risk n8n vulnerabilities disclosed recently, including CVE-2025-60613 (CVSS 9.9), CVE-2025-68613 (CVSS 9.9), and CVE-2026-21877 (CVSS 10.0). This pattern indicates sustained interest from attackers, especially in DevOps and automation-heavy environments. Organizations are urged to treat n8n as a high-value target and assume potential compromise if systems are not patched and monitored.
According to the advisory, all n8n versions before 1.121.0 are vulnerable. Some configurations remain at risk until version 1.121.3. Even cloud deployments running 1.121.0 or later may be affected depending on exposed features. CERT advises organizations to assume exposure if patches have not been applied in the last few weeks, particularly for internet-facing instances.
Organizations should immediately check for exploitation indicators, including
Any of these signs should trigger an urgent incident response and forensic investigation.
CERT classifies remediation for CVE-2026-21858 as an emergency. Organizations are strongly advised to upgrade to n8n version 1.121.0 or later, with 1.121.3 recommended. After patching, all credentials, API tokens, and workflow secrets should be rotated. Audit logs and workflow histories must be reviewed for tampering.
For systems that cannot be patched immediately, temporary measures are recommended within 24–48 hours. These include restricting network access, disabling public UI and webhook access, using reverse proxies with authentication, or taking exposed instances offline.
The advisory emphasizes ongoing security improvements, such as enforcing least-privilege access, enabling detailed audit logs, deploying intrusion detection systems, using secure credential vaults, and performing regular vulnerability assessments. Organizations should also monitor n8n activity through SIEM tools to detect future attacks early.
National CERT concludes that CVE-2026-21858 is an immediate, severe threat. With active exploitation likely, the impact could range from data theft to full infrastructure compromise. The advisory stresses that delayed action could have costly consequences.
“Organizations should treat this as a live incident, not a routine patch,” the warning states. “Immediate action is essential to protect systems, data, and downstream partners.”
As workflow automation becomes central to business operations, this incident highlights the need for robust security practices. Without proper defenses, attackers will quickly exploit gaps in automation platforms like n8n.