Question About GHSA-v364-rw7m-3263 Advisory – Why Was It Published Suddenly & Should We Follow GitHub Versioning?

Questions
1

Hi n8n Team and Community,

I recently came across the GitHub Security Advisory GHSA-v364-rw7m-3263 (CVE-2026-21877), which mentions a critical vulnerability affecting certain n8n versions and recommends upgrading to 1.121.3 or later.

I have a couple of questions:

  1. This advisory appeared quite suddenly in GitHub Security Alerts. Was this part of a coordinated disclosure after a fix was released?

  2. Should we strictly follow the version ranges mentioned in GitHub Advisories (for example, affected versions >= 0.123.0 and < 1.121.3)?

  3. Is upgrading to the patched version immediately recommended even if we are not actively using the affected node (e.g., Git node)?

  4. For self-hosted users, is there any additional mitigation we should consider beyond upgrading?

Would appreciate clarification from the maintainers or anyone who has more insight into how these advisories are published and how we should treat them in production environments.

Thanks in advance :folded_hands:

2

Hey!

  1. Exactly, once the fix was provided and the security risk was fully addressed, we published the recommended guidelines.

  2. Yes, the affected versions include the full version range from when the vulnerability was initially introduced up to the last impacted version.

  3. Good question. Overall, the upgrade is recommended in all cases. If you’re absolutely sure that the affected code does not impact your instances in any way, and if the upgrade process is time-consuming for you, that’s a risk you need to evaluate yourself.

  4. Not at this point for this advisory.

Thanks

3

Hello,

We are currently using v1.109.2 and I would like to clarify whether there are any usage charges associated with the community versionof n8n under the new license terms.
In our organization, we are currently using n8n under what we believe to be the community license, and up until now, we haven’t paid any license fees. However, I’ve come across information suggesting there may be a cost associated with certain usage scenarios under the updated licensing terms.
Could you please confirm:

  1. Is there any usage charge for the community version of n8n?
  2. If there are limitations for the community version, could you outline what they are (e.g., based on executions or usage parameters)?

Thank you very much for your support, and I appreciate any guidance on this matter.