Login Sign Up

CVE-2026-21858

10.0 CRITICAL
Remote Code Execution Authentication Bypass

📋 TL;DR

This vulnerability in n8n workflow automation platform allows unauthenticated remote attackers to execute certain form-based workflows that can access files on the underlying server. Attackers can read sensitive information stored on the system and potentially achieve further compromise depending on deployment configuration. Affected systems are n8n versions 1.65.0 through 1.120.x.

💻 Affected Systems

Products:
  • n8n
Versions: 1.65.0 through 1.120.x
Operating Systems: All platforms running n8n
Default Config Vulnerable: ⚠️ Yes
Notes: All deployments with form-based workflows are vulnerable; exposure depends on specific workflow configurations

📦 What is this software?

N8n by N8n

View all CVEs affecting N8n →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise leading to data exfiltration, lateral movement, and complete system takeover

🟠

Likely Case

Unauthenticated file read access exposing configuration files, credentials, and sensitive data

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent external access

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation allows direct attack from internet
🏢 Internal Only: HIGH - Even internal attackers can exploit without credentials

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public research demonstrates exploitation techniques; attack requires specific workflow configurations but is straightforward once identified

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.121.0

Vendor Advisory: https://github.com/n8n-io/n8n/security/advisories/GHSA-v4pr-fm98-w9pg

Restart Required: Yes

Instructions:

1. Backup your n8n instance and workflows. 2. Update n8n to version 1.121.0 or later using your package manager. 3. Restart the n8n service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Disable form-based workflows

all

Temporarily disable or remove form-based workflows that could be exploited

Network isolation

linux

Restrict network access to n8n instance using firewall rules

iptables -A INPUT -p tcp --dport 5678 -j DROP

🧯 If You Can't Patch

  • Isolate n8n instance behind authentication proxy or VPN
  • Implement strict network segmentation and monitor for suspicious file access patterns

🔍 How to Verify

Check if Vulnerable:

Check n8n version; if between 1.65.0 and 1.120.x inclusive, you are vulnerable

Check Version:

n8n --version or check package manager version

Verify Fix Applied:

Verify n8n version is 1.121.0 or higher and test that form-based workflows no longer allow unauthorized file access

📡 Detection & Monitoring

Log Indicators:

  • Unusual file access patterns from n8n processes
  • Form workflow executions from unexpected IP addresses

Network Indicators:

  • HTTP requests to form endpoints from unauthorized sources
  • Unusual outbound data transfers

SIEM Query:

source="n8n" AND (event="file_access" OR event="workflow_execution") AND src_ip NOT IN [allowed_ips]

📊 Metadata

CVE ID: CVE-2026-21858
CVSS v3 Score: 10.0 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
CWE: CWE-20
EPSS Score: 5.82% exploit probability (90.3th percentile)
Published: January 8, 2026
Last Updated: January 16, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-21858, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2024-3400 10.0

CVE-2024-3400 is a critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProte...

Same vulnerability type (CWE-20)
CVE-2023-42802 10.0

This critical vulnerability in GLPI allows attackers to upload malicious PHP files to unauthorized d...

Same vulnerability type (CWE-20)