Cybersecurity

The Fence Has A Door And The Door Has No Lock: n8n's Perfect-Score Catastrophe

Victor Woolridge

2 min read
The Fence Has A Door And The Door Has No Lock: n8n's Perfect-Score Catastrophe

A CVSS 10.0. A perfect score. A flawless, immaculate, gold-star-on-the-refrigerator disaster. I have been in this field since we were storing threat intelligence on magnetic tape, and I will tell you plainly: this is not something you should be proud of.

CVE-2026-21877 is an authenticated Remote Code Execution flaw in n8n, the workflow automation platform that the Shepherds in your C-suite almost certainly approved without asking a single hard question. Authenticated, mind you. Someone with legitimate credentials walks through the gate and then simply... owns the entire pasture. Both self-hosted deployments and the Sky Pasture version are affected. Of course the Sky Pasture is affected. I have said it before and I will say it until they put me in the ground: you do not graze your most sensitive flock in a field you cannot see.

The Wolves did not need to pick a lock here. They needed an invitation, and in most organizations, invitations are handed out like cheap pamphlets at a county fair.

The flaw is patched in version 1.121.3. That is your ointment. Apply it. In the Old Days, we would have had a configuration change deployed, tested, and signed off in triplicate before the coffee went cold. Now I am told that "update scheduling is a process" and that we must "open a ticket." Remarkable.

What genuinely concerns me, professionally and personally, is the phrase "earlier releases." That is a polite way of saying this hole in the fence has been sitting open for some time, and the Wolves are not known for their patience. They are known for their thoroughness.

The Flock, of course, clicked whatever they were told to click. This is their nature. I do not blame the sheep. I blame whoever decided not to build a proper Electric Fence around an automation platform with privileged system access. That is a Shepherd problem.

Remediation

Step one: Update to n8n version 1.121.3 immediately. Not tomorrow. Not after standup. Now.

Step two: Audit every authenticated account touching your n8n instance. If you do not recognize a credential, it is not yours.

Step three: If you are running this in the Sky Pasture, verify with your vendor that the patch is applied on their end. Do not assume. Assumption is how fleas become an infestation.

Step four: Consider, just briefly, whether a workflow automation tool needed Sky Pasture access to begin with. Think hard. I will wait.

If your patch management strategy is "we'll get to it," you have already lost the pasture and you just don't know it yet.

Original Report: https://thehackernews.com/2026/01/n8n-warns-of-cvss-100-rce-vulnerability.html