Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Warning: Two critical vulnerabilities in n8n can lead to remote code execution, Patch Immediately!
Image
Published : 09/01/2026
- Last update: 09/01/2026
- Affected software:
→ n8n- Type: Remote code execution
- CVE/CVSS
→ CVE-2026-21877: CVSS 10.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
→ CVE-2026-21858: CVSS 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N)
Sources
https://github.com/n8n-io/n8n/security/advisories/GHSA-v364-rw7m-3263
https://github.com/n8n-io/n8n/security/advisories/GHSA-v4pr-fm98-w9pg
Risks
In January 2025, two critical vulnerabilities were identified in n8n (CVE-2026-21858 and CVE-2026-21877). Both have a high impact on confidentiality, integrity and availability. Successful exploitation of any of these vulnerabilities could enable attackers to take over locally deployed instances.
n8n is a popular workflow automation platform with millions of users around the world, including large organisations. The technology is used to connect different and often critical systems within an organisation. Compromise of a n8n instance could give attackers access to API credentials, OAuth tokens, database connections and cloud storage, therefore making it a very valuable target for attackers.
Neither vulnerability is actively exploited (cut-off date: 08 January 2026). However, given the simplicity of exploitation, rapid weaponization is considered likely.
Description
CVE-2026-21858 is a critical vulnerability in n8n with a CVSS score of 10.0. The flaw resides in the way webhooks handle requests. Successful exploitation of this vulnerability enables an unauthenticated remote attacker to execute arbitrary system commands by abusing workflow execution and credential handling logic, resulting in full compromise of the underlying host.
CVE-2026-21877 is a critical remote code execution flaw in n8n with a CVSS score of 10.0. Under certain conditions, an authenticated user may be able to cause untrusted code to be executed by the n8n service. This could result in full compromise of the affected instance. Please note that CVE-2026-21877 impacts both self-hosted and n8n Cloud instances.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
n8n recommends as temporary mitigation:
- For CVE-2026-2158: to restrict or disable publicly accessible webhook and form endpoints.
- For CVE-2026-21877: to disable the Git node and limit access for untrusted users.
Additional recommendations include restricting or taking offline Internet-exposed n8n instances until patching is completed.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.