CVE-2026-21858
n8n Vulnerable to Unauthenticated File Access via Improper Webhook Request Handling
Description
n8n is an open source workflow automation platform. Versions starting with 1.65.0 and below 1.121.0 enable an attacker to access files on the underlying server through execution of certain form-based workflows. A vulnerable workflow could grant access to an unauthenticated remote attacker, resulting in exposure of sensitive information stored on the system and may enable further compromise depending on deployment configuration and workflow usage. This issue is fixed in version 1.121.0.
INFO
Published Date :
Jan. 8, 2026, 12:15 a.m.
Last Modified :
Jan. 16, 2026, 7:31 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | CRITICAL | [email protected] |
Solution
- Update n8n to version 1.121.0.
- Apply security patches for affected versions.
- Review and secure workflow configurations.
Public PoC/Exploit Available at Github
CVE-2026-21858 has a 25 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-21858.
| URL | Resource |
|---|---|
| https://github.com/n8n-io/n8n/security/advisories/GHSA-v4pr-fm98-w9pg | Vendor Advisory |
| https://www.cyera.com/research-labs/ni8mare-unauthenticated-remote-code-execution-in-n8n-cve-2026-21858 | Exploit Third Party Advisory |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-21858 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-21858
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Hack
Dockerfile Python Shell Perl
vortex_dwm.py (The ASLR-Defeat Core) This script targets the ALPC (Advanced Local Procedure Call) port used by the Desktop Window Manager. It utilizes the \alpha=0.0302 timing constant to intercept the memory section handle during a state-restoration cycle.
Python
Security scanner for AI IDE configuration files (.cursorrules, .vscode/settings.json) - detects Unicode obfuscation + risky patterns
ai-security cursor cve devsecops python scanner security supply-chain-security vscode vulnerability-scanner
Python
Ultimate Bug Bounty Reconnaissance Tool
Python Shell
🛡️ Exploit CVE-2026-21858 for unauthenticated RCE in n8n; includes proof of concept and mitigation details for critical vulnerabilities.
Proof of Concept: CVE-2026-21858 is vulnerability on n8n where unauthenticated remote attackers can access sensitive files.
cve cve-2026-21858 exploit n8n n8n-exploits nuclei poc vuln
Python
None
Python
SASTRA-ADI-WIGUNA-CVE-2026-21858-Holistic-Audit
None
Shell
Comprehensive vulnerability detection tool for n8n workflow automation instances. Detects the critical CVE-2026-21858 vulnerability (CVSS 10.0) without performing any exploitation.
cve-2026-21858
Dockerfile Python
CVE-2026-21858
n8n Ni8mare - Unauthenticated Arbitrary File Read to RCE Chain (CVSS 10.0)
exploit n8n poc rce security vulnerability cve-2026-21858 ni8mare
Dockerfile Python Shell
A maximum severity vulnerability dubbed "Ni8mare" allows remote, unauthenticated attackers to take control over locally deployed instances of the N8N workflow automation platform.
Security Detective for React, Next.js, Node.js & npm - CVE scanner, malware detector, secrets finder, SBOM generator. 60+ commands. Zero config.
cve cybersecurity devsecops nextjs python react security security-tools vulnerability-management vulnerability-scanner malware-detection npm supply-chain-security threat-detection model-context-protocol security-automation bug-bounty cli nodejs sbom
Python Shell
GRC News Assistant 3.0
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-21858 vulnerability anywhere in the article.
-
BleepingComputer
New sandbox escape flaw exposes n8n instances to RCE attacks
Two vulnerabilities in the n8n workflow automation platform could allow attackers to fully compromise affected instances, access sensitive data, and execute arbitrary code on the underlying host. Iden ... Read more
-
The Hacker News
Two High-Severity n8n Flaws Allow Authenticated Remote Code Execution
Cybersecurity researchers have disclosed two new security flaws in the n8n workflow automation platform, including a crucial vulnerability that could result in remote code execution. The weaknesses, d ... Read more
-
Daily CyberSecurity
Sandbox Shattered: Critical n8n Flaw (CVSS 9.9) Allows Remote Code Execution
Security researcher Natan Nehorai of the JFrog Security Research Team has uncovered a critical Remote Code Execution (RCE) vulnerability in n8n, the popular fair-code workflow automation platform used ... Read more
-
Schneier on Security
New Vulnerability in n8n
This isn’t good: We discovered a critical vulnerability (CVE-2026-21858, CVSS 10.0) in n8n that enables attackers to take over locally deployed instances, impacting an estimated 100,000 servers global ... Read more
-
The Cyber Express
What Is a DNS Attack? Understanding the Risks and Threats
In 2026, when websites, apps, and online services drive nearly every aspect of daily life, the Domain Name System (DNS) acts as the internet’s unsung hero. It serves as the bridge between humans and m ... Read more
-
CybersecurityNews
100,000+ n8n Instances Exposed to Internet Vulnerable to RCE Attacks
A critical vulnerability affecting the popular n8n workflow automation platform has put over 100,000 internet-exposed instances at severe risk. Security researchers from The Shadowserver Foundation di ... Read more
-
BleepingComputer
Max severity Ni8mare flaw impacts nearly 60,000 n8n instances
Nearly 60,000 n8n instances exposed online remain unpatched against a maximum-severity vulnerability dubbed "Ni8mare." n8n is an open-source workflow automation platform that allows users to connect d ... Read more
-
security.nl
Zestigduizend n8n-servers missen update voor zeer kritiek beveiligingslek
Zo'n zestigduizend servers waarop n8n draait, waaronder veertienhonderd in Nederland, missen een beveiligingsupdate voor een zeer kritieke kwetsbaarheid. Dat meldt The Shadowserver Foundation op basis ... Read more
-
TheCyberThrone
Critical Ni8mare RCE and Expression Injection Vulnerability
January 10, 2026n8n, the popular open-source workflow automation tool, faces multiple critical vulnerabilities disclosed in late 2025 and early 2026. These flaws enable unauthenticated remote code exe ... Read more
-
SentinelOne
The Good, the Bad and the Ugly in Cybersecurity – Week 2
The Good | U.K. Government Resets Public-Sector Cybersecurity With £210M Action Plan The United Kingdom has unveiled a sweeping reset of its public-sector cybersecurity strategy, committing more than ... Read more
-
SentinelOne
The Good, the Bad and the Ugly in Cybersecurity – Week 2
The Good | U.K. Government Resets Public-Sector Cybersecurity With £210M Action Plan The United Kingdom has unveiled a sweeping reset of its public-sector cybersecurity strategy, committing more than ... Read more
-
security.nl
NCSC verwacht misbruik van kritieke Ni8mare-kwetsbaarheid in n8n
Het Nationaal Cyber Security Centrum (NCSC) verwacht dat aanvallers misbruik zullen gaan maken van een kritieke kwetsbaarheid in n8n, aangeduid als Ni8mare en CVE-2026-21858, waardoor ongeauthenticeer ... Read more
-
The Register
Maximum-severity n8n flaw lets randos run your automation server
A maximum-severity bug in the popular automation platform n8n has left an estimated 100,000 servers wide open to complete takeover, courtesy of a flaw so bad it doesn't even require logging in. The vu ... Read more
-
Daily CyberSecurity
CISA KEV Alert: HPE’s Maximum CVSS Score Flaw and a Zombie PowerPoint Bug
The Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) Catalog with two new entries that span nearly two decades of computing history. The la ... Read more
-
Daily CyberSecurity
Public Exploit Released: Critical n8n Flaw CVE-2026-21858 Exposes 100k Servers
The “central nervous system” of automation for thousands of companies has a critical weakness. A new report from Cyera reveals a devastating vulnerability in n8n, the popular workflow automation platf ... Read more
-
Daily CyberSecurity
“VM Isolation is Not Absolute”: Researchers Unmask Sophisticated ESXi “Maestro” Exploit
In a new report, the Huntress Tactical Response Team details a sophisticated intrusion discovered in December 2025 where threat actors successfully executed a “VM escape”—breaking out of a guest virtu ... Read more
The following table lists the changes that have been made to the
CVE-2026-21858 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Jan. 16, 2026
Action Type Old Value New Value Added CPE Configuration OR *cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:* versions from (including) 1.65.0 up to (excluding) 1.121.0 Added Reference Type GitHub, Inc.: https://github.com/n8n-io/n8n/security/advisories/GHSA-v4pr-fm98-w9pg Types: Vendor Advisory Added Reference Type GitHub, Inc.: https://www.cyera.com/research-labs/ni8mare-unauthenticated-remote-code-execution-in-n8n-cve-2026-21858 Types: Exploit, Third Party Advisory -
CVE Modified by [email protected]
Jan. 12, 2026
Action Type Old Value New Value Added Reference https://www.cyera.com/research-labs/ni8mare-unauthenticated-remote-code-execution-in-n8n-cve-2026-21858 -
CVE Modified by [email protected]
Jan. 08, 2026
Action Type Old Value New Value Changed Description n8n is an open source workflow automation platform. Versions below 1.121.0 enable an attacker to access files on the underlying server through execution of certain form-based workflows. A vulnerable workflow could grant access to an unauthenticated remote attacker, resulting in exposure of sensitive information stored on the system and may enable further compromise depending on deployment configuration and workflow usage. This issue is fixed in version 1.121.0. n8n is an open source workflow automation platform. Versions starting with 1.65.0 and below 1.121.0 enable an attacker to access files on the underlying server through execution of certain form-based workflows. A vulnerable workflow could grant access to an unauthenticated remote attacker, resulting in exposure of sensitive information stored on the system and may enable further compromise depending on deployment configuration and workflow usage. This issue is fixed in version 1.121.0. -
New CVE Received by [email protected]
Jan. 08, 2026
Action Type Old Value New Value Added Description n8n is an open source workflow automation platform. Versions below 1.121.0 enable an attacker to access files on the underlying server through execution of certain form-based workflows. A vulnerable workflow could grant access to an unauthenticated remote attacker, resulting in exposure of sensitive information stored on the system and may enable further compromise depending on deployment configuration and workflow usage. This issue is fixed in version 1.121.0. Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N Added CWE CWE-20 Added Reference https://github.com/n8n-io/n8n/security/advisories/GHSA-v4pr-fm98-w9pg