New Vulnerability in n8n
This isn’t good:
We discovered a critical vulnerability (CVE-2026-21858, CVSS 10.0) in n8n that enables attackers to take over locally deployed instances, impacting an estimated 100,000 servers globally. No official workarounds are available for this vulnerability. Users should upgrade to version 1.121.0 or later to remediate the vulnerability.
Subscribe to comments on this entry
Clive Robinson • January 15, 2026 8:59 AM
@ Bruce, ALL,
With regards,
Is a polite and somewhat understated comment 😉
For some of those 100,000 server operators it’s going to be a disaster one way or another.
Any one who has “managed services” on a server knows that even adding patches can be a twitch making experience… As what was working fine stops doing so and those who in turn depend on the services supplied get “communicative” in various ways sapping time to find resolutions or mitigations.
But doing an “upgrade” can be even more stressful as way more indepth testing is required on the likes of a representative prototype system.
So some of those servere will “stay up” as they are for a while if not indefinitely…
That is some will just not do the upgrade and take the risk…
As the article notes,
The thing is “automated workflows” for AI and AI Agents has other risks attached as well.
AI Agents can be “prompt engineered” into
“Exfiltrating everything an AI Agent is allowed to see”
And most automated workflows have two major disadvantages,
1, Prompt Engineering is hidden from user view.
2, There is proof that Prompt Engineering can not be prevented.
So some people will ask,
Does this mean AI Agents will be forever a security risk?
Well yes it kind of does…