Number: AL26-001
Date: January 12, 2026
Audience
This Alert is intended for IT professionals and managers.
Purpose
An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.
Details
On January 7, 2026, The Cyber Centre became aware of multiple high-severity vulnerabilities in n8n, a popular workflow automation software. CVE-2026-21858Footnote 1, is an Improper Input Validation vulnerability that may allow an unauthenticated remote attacker to execute arbitrary code (CWE-20)Footnote 2. The primary issue stems from how the n8n webhook processes incoming data and manages file handling. Webhooks, used to ingest data from external applications, are triggered after requests are parsed by the parseRequestBody() function, where insufficient validation creates an attack vectorFootnote 3.
CVE-2026-21877Footnote 4, is an Improper Control of Generation of Code ('Code Injection') vulnerability that may allow a remote, privileged attacker to execute arbitrary code (CWE-94)Footnote 5, and may be chained with the unauthenticated vulnerability CVE-2026-21858 to achieve code execution or arbitrary file writes on certain vulnerable versions of n8n software.
CVE‑2025‑68613Footnote 6 is a critical remote code execution vulnerability resulting from insufficient isolation of user-supplied expressions in workflow configurations. This flaw enables authenticated attackers to run arbitrary code with the same privileges as the n8n process, potentially leading to complete compromise of the instance.
On January 7, 2026, in response to the vendor advisory, the Cyber Centre released AV26-004Footnote 7.
The Cyber Centre has observed open-source reporting that multiple Proof-of-Concepts (PoCs) are publicly available, including one that chains CVE‑2026‑21858 and CVE‑2025‑68613Footnote 8. This exploit sequence enables unauthenticated RCE by first extracting sensitive data and then executing arbitrary commands on the affected server.
Suggested actions
The Cyber Centre recommends that organizations upgrade affected instances of n8n to the latest supported version. The table below shows affected and patched versions for each CVE:
| Affected product | CVE | Affected versions | Patched versions |
|---|---|---|---|
| n8n | CVE-2025-68613 | version 0.211.0 to versions prior to 1.120.4, 1.121.1 and 1.122.0 | 1.120.4, 1.121.1, and 1.122.0 |
| n8n | CVE-2026-21858 | version 1.65.0 to versions prior to 1.121.0 | 1.121.0 |
| n8n | CVE-2026-21877 | versions prior to 0.121.2 | 1.121.3 |
Note: n8n 1.X version will reach end of life (EOL) by beginning of March 2026Footnote 9.
If patching is not immediately possible, the vendor suggests that users may restrict or disable publicly accessible webhook and form endpoints until upgrading is completeFootnote 10.
In addition, the Cyber Centre strongly recommends that organizations review and implement the Cyber Centre's Top 10 IT Security Actions with an emphasis on the following topicsFootnote 11.
- Patch operating systems and applications
- Harden operating systems and applications
- Isolate web-facing applications
Should activity matching the content of this alert be discovered, recipients are encouraged to report via My Cyber Portal, or email contact@cyber.gc.ca.