CVE-2026-21858 · n8n is an open source workflow automation platform.

01 · The Real Story

This is a master key hidden behind a very specific door, not a skeleton key for every n8n server

CVE-2026-21858 is an improper input validation bug in self-hosted n8n that affects >=1.65.0, <1.121.0; 2.x already contains the fix. The bug sits in form/webhook request handling and only becomes reachable when an instance has an active workflow that includes a Form Submission trigger and a Form Ending node configured to return a binary file. In that setup, an unauthenticated remote caller who can hit the form endpoint can abuse content-type confusion to read server-side files, steal secrets, and in some deployments chain to full host compromise.

The vendor's 10.0 / CRITICAL score is technically defensible for the worst case, but it overstates population-wide urgency. This is not a universal pre-auth RCE against every exposed login page; it is a narrower internet-reachable workflow flaw that requires a specific workflow pattern to already exist. Still, when that pattern is present on an internet-exposed self-hosted node, the blast radius is ugly because n8n commonly centralizes tokens, SaaS creds, CI/CD access, and cloud secrets.

"Serious internet-edge risk, but not every n8n box is instantly exploitable; the workflow prerequisite knocks this below CRITICAL."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Find a reachable form endpoint

The attacker uses a basic HTTP client such as curl or a scanner such as the public nuclei template from ProjectDiscovery to locate exposed n8n webhook/form routes. The vulnerable surface is not the generic login page; it is a live form workflow endpoint reachable without authentication.

Conditions required:

Self-hosted n8n version >=1.65.0, <1.121.0
Form/webhook endpoint exposed to the attacker over HTTP(S)
Active workflow using Form Submission

Where this breaks in practice:

Cloud instances were already upgraded by n8n and are out of scope
Internal-only n8n deployments are not reachable pre-auth from the internet
Many exposed n8n instances may not actually publish vulnerable form flows

Detection/coverage: External attack-surface tools and ProjectDiscovery coverage are good for exposed hosts, but they cannot reliably prove the vulnerable workflow pattern is present without deeper validation.

STEP 02

Trigger content-type confusion

Using a crafted request, the attacker abuses the webhook parser mismatch described by Cyera to make the workflow treat attacker-controlled input as file data. In vulnerable form workflows that return a binary file, this can be turned into arbitrary file read from the underlying server.

Conditions required:

A workflow has both Form Submission and a Form Ending node returning binary content
The endpoint accepts unauthenticated submissions

Where this breaks in practice:

The exploit path is workflow-specific rather than product-global
Reverse proxies, custom routing, or disabled public forms may prevent direct reachability
Some WAFs may flag malformed multipart/content-type anomalies, though coverage is inconsistent

Detection/coverage: Look for unusual POSTs to form/webhook endpoints, mismatched Content-Type values, and unexpected binary responses. Network IDS/WAF signatures may catch noisy PoCs, but bespoke requests can slip through.

STEP 03

Harvest secrets from local files

Once file read is achieved, the attacker targets .env, n8n configuration, and data-store material to recover secrets such as N8N_ENCRYPTION_KEY, database credentials, and stored tokens. Cyera shows how this pivots from file disclosure into broader control of the automation environment.

Conditions required:

Readable secrets exist on disk or in reachable config paths
n8n stores high-value credentials or references to connected systems

Where this breaks in practice:

Least-privileged container filesystems and secret managers reduce what can be read
Read-only compromise may stall if encryption keys or useful creds are not exposed locally

Detection/coverage: EDR or container-runtime telemetry may catch odd file access by the node process, but many default n8n deployments lack that depth of visibility.

STEP 04

Turn app control into code execution

With recovered secrets or forged access, the attacker can weaponize n8n's own features, for example by creating a workflow that uses Execute Command, or by abusing the trust n8n already has into adjacent systems. This is why public write-ups call it 'Ni8mare': the initial bug is file read, but the practical end state can be full server and environment compromise.

Conditions required:

Recovered material is sufficient to authenticate, forge sessions, or manipulate workflows
The n8n instance allows dangerous nodes or has broad downstream integrations

Where this breaks in practice:

Some deployments disable risky nodes, harden the container, or isolate the runtime user
EDR often catches child process creation from the n8n node process

Detection/coverage: This is where defenders have the best shot: alert on node spawning shells, sh, bash, curl, wget, package managers, or unusual outbound connections from the n8n host/container.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No CISA KEV listing found in the public catalog used for this assessment, and Censys said there was no confirmed large-scale exploitation at disclosure time; that said, public weaponization was expected quickly because the path is internet-reachable and PoCs appeared fast.
Public exploit / scanner availability	Yes. Public technical write-up from Cyera, a public PoC repo from SystemVll, references to Chocapikk exploit code, and a ProjectDiscovery nuclei template all reduce attacker effort.
EPSS	User-supplied EPSS = 0.06939 (~6.939% 30-day exploitation probability). That is meaningful but not elite-tier mass exploitation pressure; percentile was not independently verified from FIRST API in this assessment.
KEV status	Not KEV-listed as of this assessment; no federal due date pressure signal.
CVSS vector reality check	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N` captures the worst-case chain, but it misses the most important real-world friction: exploitation requires a specific active workflow design, not merely an exposed n8n instance.
Affected population	Affected versions are `>=1.65.0, <1.121.0` on self-hosted n8n. n8n's own advisory says the instance is only potentially vulnerable if an active workflow has both Form Submission and Form Ending returning a binary file.
Fixed versions	Upgrade to `1.121.0+` or any `2.x` release. n8n states cloud tenants were already upgraded; the practical patch target for self-hosted estates is `1.121.0+` or current `2.x`.
Exposure data	Censys reported 26,512 exposed hosts at publication. TechRadar, citing Shadowserver data from 2026-01-11, reported 59,559 internet-connected vulnerable n8n instances, including 28,087 in the US.
Disclosure timeline	Public dates are easy to confuse here: GHSA and Cyera published on 2026-01-07, the n8n community advisory posted on 2026-01-08, and NVD later added analysis/CPE details on 2026-01-16.
Researcher / reporting org	GHSA credits `dorattias` as reporter; the public technical analysis is from Dor Attias / Cyera Research Labs.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to HIGH (8.4/10)

The single biggest reason this lands at HIGH instead of CRITICAL is that exploitation requires a specific active form workflow pattern, not just an exposed n8n server. Once that prerequisite exists on an internet-reachable self-hosted instance, the blast radius is severe because n8n often concentrates secrets and downstream trust.

HIGH Affected version range and patch floor (`1.121.0+` / `2.x`)

HIGH Workflow prerequisite: `Form Submission` plus binary-returning `Form Ending`

MEDIUM How often real enterprise deployments actually expose that workflow pattern externally

Why this verdict

Start at vendor 10.0: if you already have the exact vulnerable workflow exposed, the unauthenticated file-read-to-compromise chain is absolutely dangerous.
Minus 0.8 for exposure narrowing: this is limited to self-hosted >=1.65.0, <1.121.0; cloud and 2.x are already outside the blast zone.
Minus 0.7 for attacker reachability friction: the attacker needs a reachable form/webhook endpoint, not merely access to the main n8n web UI or an internal host.
Minus 0.9 for workflow-design dependency: exploitation requires an active workflow with Form Submission and a binary-returning Form Ending; that is a meaningful population reducer in real estates.
Plus 0.4 for attacker enablement: public write-ups, PoCs, and scanner coverage make validation and weaponization easier than the raw EPSS alone would suggest.
Plus 0.4 for blast radius: compromise of n8n often means compromise of everything n8n touches—OAuth tokens, databases, CI/CD, SaaS APIs, and AI pipelines.

Why not higher?

Because the vuln is not broadly exploitable against every installed copy. It needs a reachable, vulnerable workflow shape already deployed, which means this is not the same operational class as a product-wide pre-auth RCE on the base login surface. The required attacker path narrows both exposed population and exploit reliability.

Why not lower?

Because when the prerequisite workflow exists, the path is still unauthenticated, internet-viable, and high-impact. Public tooling exists, tens of thousands of exposed instances were observed, and n8n's role as an automation hub turns a single foothold into a multi-system credential and control event.

05 · Compensating Control

What to do — in priority order.

Block public form and webhook routes — At reverse proxies, ingress controllers, and edge firewalls, restrict anonymous access to n8n form/webhook endpoints that do not need to be public. This is the cleanest population reduction control and should be deployed within 30 days for a HIGH verdict, sooner for internet-exposed estates.
Inventory vulnerable workflow shapes — Query self-hosted n8n instances for active workflows containing Form Submission plus Form Ending configured with respondWith=returnBinary. This lets you separate theoretical version exposure from actually exploitable business flows and should be completed within 30 days.
Isolate n8n from crown-jewel networks — Move n8n hosts/containers into tightly segmented zones with egress filtering to SaaS/API destinations they truly require. This limits post-read secret abuse and lateral movement and should be enforced within 30 days.
Harden host and container privileges — Run n8n as a non-root user, minimize mounted secrets, prefer secret managers over .env sprawl, and disable dangerous nodes where operationally possible. This reduces the value of file read and weakens the file-read-to-RCE chain; deploy within 30 days.
Alert on child process creation from n8n — Tune EDR/container telemetry for node or the n8n process spawning shells, package managers, curl, wget, or other living-off-the-land tools. This is the best compensating detective control for the later stages of the chain and should be live within 30 days.

What doesn't work

A login page in front of the UI does not solve this if the vulnerable form/webhook endpoint is still anonymous by design.
Relying only on version-based internet scans overstates or understates risk; version alone cannot prove the required workflow exists.
Generic MFA is mostly irrelevant for the initial step because the attack path is against unauthenticated form endpoints, not interactive user logins.

06 · Verification

Crowdsourced verification payload.

Run this on the target self-hosted n8n host or inside the n8n container. Invoke it as bash check_cve_2026_21858.sh /home/node/.n8n/database.sqlite or simply bash check_cve_2026_21858.sh if the default SQLite path is used; it needs read access to the n8n database file and permission to run n8n --version or docker exec if n8n is containerized.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
set -euo pipefail

# check_cve_2026_21858.sh
# Detect likely exposure to CVE-2026-21858 on self-hosted n8n.
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN
#   3 = ERROR

DB_PATH="${1:-}"
VERSION=""
CONTAINER=""

print_result() {
  local status="$1"
  echo "$status"
}

version_ge() {
  # returns 0 if $1 >= $2
  [ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | tail -n1)" = "$1" ]
}

version_lt() {
  ! version_ge "$1" "$2"
}

find_version() {
  if command -v n8n >/dev/null 2>&1; then
    VERSION="$(n8n --version 2>/dev/null | head -n1 | tr -d '[:space:]' || true)"
    if [ -n "$VERSION" ]; then
      return 0
    fi
  fi

  if command -v docker >/dev/null 2>&1; then
    CONTAINER="$(docker ps --format '{{.ID}} {{.Image}} {{.Names}}' | awk '/n8n/ {print $1; exit}' || true)"
    if [ -n "$CONTAINER" ]; then
      VERSION="$(docker exec "$CONTAINER" n8n --version 2>/dev/null | head -n1 | tr -d '[:space:]' || true)"
      if [ -n "$VERSION" ]; then
        return 0
      fi
    fi
  fi

  if [ -f /usr/local/lib/node_modules/n8n/package.json ] && command -v python3 >/dev/null 2>&1; then
    VERSION="$(python3 - <<'PY'
import json
p='/usr/local/lib/node_modules/n8n/package.json'
try:
    with open(p,'r',encoding='utf-8') as f:
        print(json.load(f).get('version',''))
except Exception:
    print('')
PY
)"
    if [ -n "$VERSION" ]; then
      return 0
    fi
  fi

  return 1
}

find_db() {
  if [ -n "$DB_PATH" ] && [ -f "$DB_PATH" ]; then
    return 0
  fi

  for p in \
    "${N8N_USER_FOLDER:-}/database.sqlite" \
    "/home/node/.n8n/database.sqlite" \
    "$HOME/.n8n/database.sqlite"; do
    if [ -n "$p" ] && [ -f "$p" ]; then
      DB_PATH="$p"
      return 0
    fi
  done

  return 1
}

check_workflows_sqlite() {
  local rows
  rows="$(sqlite3 "$DB_PATH" "SELECT COALESCE(nodes,'') FROM workflow_entity WHERE active=1;" 2>/dev/null || true)"
  if [ -z "$rows" ]; then
    return 2
  fi

  # Heuristic for the known vulnerable pattern:
  # - active workflow contains Form Submission trigger
  # - contains Form ending/completion node
  # - configured to return binary content
  if printf '%s' "$rows" | grep -q 'n8n-nodes-base.formTrigger' && \
     printf '%s' "$rows" | grep -q '"operation":"completion"' && \
     printf '%s' "$rows" | grep -Eq '"respondWith":"(returnBinary|binaryFile)"'; then
    return 0
  fi

  return 1
}

main() {
  if ! find_version; then
    print_result "UNKNOWN"
    exit 2
  fi

  # Normalize common leading 'v'
  VERSION="${VERSION#v}"

  # Fixed in all 2.x, unaffected below 1.65.0, fixed in >=1.121.0
  if version_ge "$VERSION" "2.0.0"; then
    print_result "PATCHED"
    exit 0
  fi

  if version_lt "$VERSION" "1.65.0"; then
    print_result "PATCHED"
    exit 0
  fi

  if version_ge "$VERSION" "1.121.0"; then
    print_result "PATCHED"
    exit 0
  fi

  # Version is in affected range. Now check whether the vulnerable workflow pattern exists.
  if ! command -v sqlite3 >/dev/null 2>&1; then
    print_result "UNKNOWN"
    exit 2
  fi

  if ! find_db; then
    print_result "UNKNOWN"
    exit 2
  fi

  if check_workflows_sqlite; then
    print_result "VULNERABLE"
    exit 1
  else
    case $? in
      1)
        # Affected version, but vulnerable workflow pattern not found in local active SQLite workflows.
        # Could still be false-negative if using Postgres/MySQL or remote DB.
        print_result "UNKNOWN"
        exit 2
        ;;
      2)
        print_result "UNKNOWN"
        exit 2
        ;;
      *)
        print_result "UNKNOWN"
        exit 2
        ;;
    esac
  fi
}

main "$@"

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, treat this as an internet-edge self-hosted n8n hunt, not as a generic all-hosts fire drill: inventory every self-hosted 1.x instance, identify which ones are in >=1.65.0, <1.121.0, and then separate the truly dangerous subset by finding active workflows that expose Form Submission plus binary-returning Form Ending. For those exposed workflows, remove or restrict public access first and finish compensating controls within the noisgate mitigation SLA of 30 days; then complete upgrades to 1.121.0+ or 2.x inside the noisgate remediation SLA of 180 days. If you find an internet-facing vulnerable workflow on a business-critical automation hub, do not wait for the long tail—move that instance to the front of the patch queue immediately.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.