{"id":"CVE-2026-21893","summary":"n8n Vulnerable to Command Injection in Community Package Installation","details":"n8n is an open source workflow automation platform. From version 0.187.0 to before 1.120.3, a command injection vulnerability was identified in n8n’s community package installation functionality. The issue allowed authenticated users with administrative permissions to execute arbitrary system commands on the n8n host under specific conditions. This issue has been patched in version 1.120.3.","aliases":["GHSA-7c4h-vh2m-743m"],"modified":"2026-04-10T05:38:37.274027Z","published":"2026-02-04T17:36:51.690Z","database_specific":{"cwe_ids":["CWE-20","CWE-78"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/21xxx/CVE-2026-21893.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/21xxx/CVE-2026-21893.json"},{"type":"ADVISORY","url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-7c4h-vh2m-743m"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21893"},{"type":"FIX","url":"https://github.com/n8n-io/n8n/commit/ae0669a736cc496beeb296e115267862727ae838"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/n8n-io/n8n","events":[{"introduced":"edc43f2a2791f20f5bdd5f68cc688fa000a9096a"},{"fixed":"160c3831693160cde88a307e95635deb8fe73aa4"}]}],"versions":["n8n-core@0.128.0","n8n-core@0.129.0","n8n-core@0.130.0","n8n-core@0.131.0","n8n-core@0.132.0","n8n-core@0.133.0","n8n-core@0.133.1","n8n-core@0.133.2","n8n-core@0.133.3","n8n-core@0.134.0","n8n-core@0.135.0","n8n-core@0.135.1","n8n-core@0.135.2","n8n-core@0.136.0","n8n-core@0.137.0","n8n-core@0.138.0","n8n-core@0.139.0","n8n-core@0.140.0","n8n-core@0.140.1","n8n-core@0.141.0","n8n-core@0.142.0","n8n-core@0.142.1","n8n-core@0.143.0","n8n-core@0.143.1","n8n-core@0.144.0","n8n-core@0.145.0","n8n-core@0.146.0","n8n-core@0.146.1","n8n-core@0.147.0","n8n-core@0.148.0","n8n-core@0.148.1","n8n-core@0.149.0","n8n-core@0.149.1","n8n-core@0.149.2","n8n-core@0.150.0","n8n-core@0.150.1","n8n-core@0.151.0","n8n-core@0.151.1","n8n-core@0.151.2","n8n-core@0.152.0","n8n-core@0.153.0","n8n-core@0.154.0","n8n-core@0.154.1","n8n-core@0.155.0","n8n-design-system@0.28.0","n8n-design-system@0.29.0","n8n-design-system@0.30.0","n8n-design-system@0.31.0","n8n-design-system@0.32.0","n8n-design-system@0.33.0","n8n-design-system@0.33.1","n8n-design-system@0.34.0","n8n-design-system@0.35.0","n8n-design-system@0.35.1","n8n-design-system@0.36.0","n8n-design-system@0.37.0","n8n-design-system@0.38.0","n8n-design-system@0.39.0","n8n-design-system@0.40.0","n8n-design-system@0.41.0","n8n-design-system@0.42.0","n8n-design-system@0.43.0","n8n-design-system@0.44.0","n8n-design-system@0.45.0","n8n-design-system@0.46.0","n8n-design-system@0.47.0","n8n-design-system@0.48.0","n8n-design-system@0.49.0","n8n-design-system@0.49.1","n8n-design-system@0.49.2","n8n-design-system@0.49.3","n8n-design-system@0.50.0","n8n-design-system@0.50.1","n8n-design-system@0.51.0","n8n-design-system@0.51.1","n8n-design-system@0.52.0","n8n-design-system@0.53.0","n8n-design-system@0.54.0","n8n-editor-ui@0.153.1","n8n-editor-ui@0.154.0","n8n-editor-ui@0.155.0","n8n-editor-ui@0.156.0","n8n-editor-ui@0.157.0","n8n-editor-ui@0.157.1","n8n-editor-ui@0.158.0","n8n-editor-ui@0.158.1","n8n-editor-ui@0.158.2","n8n-editor-ui@0.159.0","n8n-editor-ui@0.159.1","n8n-editor-ui@0.159.2","n8n-editor-ui@0.159.3","n8n-editor-ui@0.159.4","n8n-editor-ui@0.160.0","n8n-editor-ui@0.161.0","n8n-editor-ui@0.161.1","n8n-editor-ui@0.161.2","n8n-editor-ui@0.161.3","n8n-editor-ui@0.162.0","n8n-editor-ui@0.163.0","n8n-editor-ui@0.163.1","n8n-editor-ui@0.164.0","n8n-editor-ui@0.164.1","n8n-editor-ui@0.164.2","n8n-editor-ui@0.165.0","n8n-editor-ui@0.166.0","n8n-editor-ui@0.166.1","n8n-editor-ui@0.167.0","n8n-editor-ui@0.168.0","n8n-editor-ui@0.168.1","n8n-editor-ui@0.169.0","n8n-editor-ui@0.170.0","n8n-editor-ui@0.171.0","n8n-editor-ui@0.172.0","n8n-editor-ui@0.172.1","n8n-editor-ui@0.173.0","n8n-editor-ui@0.173.1","n8n-editor-ui@0.174.0","n8n-editor-ui@0.174.1","n8n-editor-ui@0.175.0","n8n-editor-ui@0.175.1","n8n-editor-ui@0.175.2","n8n-editor-ui@0.175.3","n8n-editor-ui@0.175.4","n8n-editor-ui@0.176.0","n8n-editor-ui@0.176.1","n8n-editor-ui@0.176.2","n8n-editor-ui@0.177.0","n8n-editor-ui@0.177.1","n8n-editor-ui@0.178.0","n8n-editor-ui@0.178.1","n8n-editor-ui@0.179.0","n8n-editor-ui@0.180.0","n8n-editor-ui@0.180.1","n8n-editor-ui@0.180.2","n8n-editor-ui@0.181.0","n8n-editor-ui@0.181.1","n8n-editor-ui@0.182.0","n8n-node-dev@0.67.0","n8n-node-dev@0.68.0","n8n-node-dev@0.69.0","n8n-node-dev@0.70.0","n8n-node-dev@0.71.0","n8n-node-dev@0.72.0","n8n-node-dev@0.72.1","n8n-node-dev@0.73.0","n8n-node-dev@0.74.0","n8n-node-dev@0.74.1","n8n-node-dev@0.74.2","n8n-node-dev@0.75.0","n8n-node-dev@0.76.0","n8n-node-dev@0.77.0","n8n-node-dev@0.78.0","n8n-node-dev@0.79.0","n8n-node-dev@0.79.1","n8n-node-dev@0.80.0","n8n-node-dev@0.81.0","n8n-node-dev@0.81.1","n8n-node-dev@0.82.0","n8n-node-dev@0.82.1","n8n-node-dev@0.83.0","n8n-node-dev@0.84.0","n8n-node-dev@0.85.0","n8n-node-dev@0.85.1","n8n-node-dev@0.86.0","n8n-node-dev@0.87.0","n8n-node-dev@0.87.1","n8n-node-dev@0.88.0","n8n-node-dev@0.88.1","n8n-node-dev@0.88.2","n8n-node-dev@0.89.0","n8n-node-dev@0.89.1","n8n-node-dev@0.90.0","n8n-node-dev@0.90.1","n8n-node-dev@0.90.2","n8n-node-dev@0.91.0","n8n-node-dev@0.92.0","n8n-node-dev@0.93.0","n8n-node-dev@0.93.1","n8n-node-dev@0.94.0","n8n-nodes-base@0.185.1","n8n-nodes-base@0.186.0","n8n-nodes-base@0.187.0","n8n-nodes-base@0.188.0","n8n-nodes-base@0.189.0","n8n-nodes-base@0.190.0","n8n-nodes-base@0.191.0","n8n-nodes-base@0.191.1","n8n-nodes-base@0.191.2","n8n-nodes-base@0.191.3","n8n-nodes-base@0.192.0","n8n-nodes-base@0.193.0","n8n-nodes-base@0.193.1","n8n-nodes-base@0.193.2","n8n-nodes-base@0.193.3","n8n-nodes-base@0.194.0","n8n-nodes-base@0.195.0","n8n-nodes-base@0.195.1","n8n-nodes-base@0.196.0","n8n-nodes-base@0.197.0","n8n-nodes-base@0.198.0","n8n-nodes-base@0.198.1","n8n-nodes-base@0.199.0","n8n-nodes-base@0.200.0","n8n-nodes-base@0.200.1","n8n-nodes-base@0.201.0","n8n-nodes-base@0.201.1","n8n-nodes-base@0.202.0","n8n-nodes-base@0.203.0","n8n-nodes-base@0.204.0","n8n-nodes-base@0.204.1","n8n-nodes-base@0.205.0","n8n-nodes-base@0.205.1","n8n-nodes-base@0.206.0","n8n-nodes-base@0.206.1","n8n-nodes-base@0.207.0","n8n-nodes-base@0.207.1","n8n-nodes-base@0.207.2","n8n-nodes-base@0.208.0","n8n-nodes-base@0.208.1","n8n-nodes-base@0.208.2","n8n-nodes-base@0.209.0","n8n-nodes-base@0.209.1","n8n-nodes-base@0.209.2","n8n-nodes-base@0.210.0","n8n-nodes-base@0.210.1","n8n-nodes-base@0.211.0","n8n-nodes-base@0.212.0","n8n-nodes-base@0.212.1","n8n-nodes-base@0.212.2","n8n-nodes-base@0.213.0","n8n-nodes-base@0.213.1","n8n-nodes-base@0.214.0","n8n-workflow@0.110.0","n8n-workflow@0.111.0","n8n-workflow@0.112.0","n8n-workflow@0.113.0","n8n-workflow@0.114.0","n8n-workflow@0.115.0","n8n-workflow@0.115.1","n8n-workflow@0.116.0","n8n-workflow@0.117.0","n8n-workflow@0.117.1","n8n-workflow@0.117.2","n8n-workflow@0.118.0","n8n-workflow@0.119.0","n8n-workflow@0.120.0","n8n-workflow@0.121.0","n8n-workflow@0.122.0","n8n-workflow@0.122.1","n8n-workflow@0.123.0","n8n-workflow@0.124.0","n8n-workflow@0.124.1","n8n-workflow@0.125.0","n8n-workflow@0.126.0","n8n-workflow@0.127.0","n8n-workflow@0.128.0","n8n-workflow@0.128.1","n8n-workflow@0.129.0","n8n-workflow@0.130.0","n8n-workflow@0.131.0","n8n-workflow@0.131.1","n8n-workflow@0.131.2","n8n-workflow@0.132.0","n8n-workflow@0.132.1","n8n-workflow@0.133.0","n8n-workflow@0.133.1","n8n-workflow@0.133.2","n8n-workflow@0.134.0","n8n-workflow@0.135.0","n8n-workflow@0.136.0","n8n-workflow@0.136.1","n8n-workflow@0.137.0","n8n@0.187.0","n8n@0.187.1","n8n@0.187.2","n8n@0.188.0","n8n@0.189.0","n8n@0.189.1","n8n@0.190.0","n8n@0.191.0","n8n@0.191.1","n8n@0.192.0","n8n@0.192.1","n8n@0.192.2","n8n@0.193.0","n8n@0.193.1","n8n@0.193.2","n8n@0.193.3","n8n@0.193.4","n8n@0.193.5","n8n@0.194.0","n8n@0.195.0","n8n@0.195.1","n8n@0.195.2","n8n@0.195.3","n8n@0.195.4","n8n@0.195.5","n8n@0.196.0","n8n@0.197.0","n8n@0.197.1","n8n@0.198.0","n8n@0.198.1","n8n@0.198.2","n8n@0.199.0","n8n@0.200.0","n8n@0.200.1","n8n@0.201.0","n8n@0.202.0","n8n@0.202.1","n8n@0.203.0","n8n@0.203.1","n8n@0.204.0","n8n@0.205.0","n8n@0.206.0","n8n@0.206.1","n8n@0.207.0","n8n@0.207.1","n8n@0.208.0","n8n@0.208.1","n8n@0.209.0","n8n@0.209.1","n8n@0.209.2","n8n@0.209.3","n8n@0.209.4","n8n@0.210.0","n8n@0.210.1","n8n@0.210.2","n8n@0.211.0","n8n@0.211.1","n8n@0.211.2","n8n@0.212.0","n8n@0.212.1","n8n@0.213.0","n8n@0.214.0","n8n@0.214.1","n8n@0.214.2","n8n@0.215.0","n8n@0.215.1","n8n@0.215.2","n8n@0.216.0","n8n@0.218.0","n8n@0.220.0","n8n@0.223.0","n8n@0.229.0","n8n@0.234.0","n8n@1.0.0","n8n@1.0.1","n8n@1.10.0","n8n@1.103.0","n8n@1.105.0","n8n@1.107.0","n8n@1.113.0","n8n@1.115.0","n8n@1.12.0","n8n@1.120.0","n8n@1.120.1","n8n@1.120.2","n8n@1.14.0","n8n@1.17.0","n8n@1.18.0","n8n@1.2.0","n8n@1.22.0","n8n@1.23.0","n8n@1.25.0","n8n@1.29.0","n8n@1.30.0","n8n@1.31.0","n8n@1.36.0","n8n@1.37.0","n8n@1.4.0","n8n@1.40.0","n8n@1.42.0","n8n@1.47.0","n8n@1.49.0","n8n@1.5.1","n8n@1.50.0","n8n@1.51.0","n8n@1.55.0","n8n@1.56.0","n8n@1.58.0","n8n@1.59.0","n8n@1.60.0","n8n@1.62.1","n8n@1.63.0","n8n@1.64.0","n8n@1.69.0","n8n@1.7.0","n8n@1.71.0","n8n@1.73.0","n8n@1.74.0","n8n@1.89.0","n8n@1.92.0","n8n@1.93.0","n8n@1.94.0"," n8n@0.189.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-21893.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"}]}