cbcvebase.
CVE-2026-21858
published 2026-01-08

CVE-2026-21858: n8n is an open source workflow automation platform. Versions starting with 1.65.0 and below 1.121.0 enable an attacker to access files on the underlying server…

PriorityP196critical10CVSS 3.1
AVNACLPRNUINSCCHIHAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
71.65%
99.3th percentile
n8n is an open source workflow automation platform. Versions starting with 1.65.0 and below 1.121.0 enable an attacker to access files on the underlying server through execution of certain form-based workflows. A vulnerable workflow could grant access to an unauthenticated remote attacker, resulting in exposure of sensitive information stored on the system and may enable further compromise depending on deployment configuration and workflow usage. This issue is fixed in version 1.121.0.

Affected

3 ranges
VendorProductVersion rangeFixed in
n8n-ion8n
n8nn8n>= 1.65.0 < 1.121.01.121.0
n8nn8n>= 1.65.0 < 1.121.01.121.0

Detection & IOCsextracted from sources · hover to see the quote

otherAS211590 /24 block
  • Alert on unauthenticated requests to n8n form/webhook endpoints that include file metadata fields with absolute filesystem paths (e.g., /etc/passwd, /proc/*), as this is the exploitation pattern for arbitrary file read.
  • Monitor for n8n instances running versions 1.65.0 through 1.120.x that have an active workflow with a Form Submission trigger accepting a file element AND a Form Ending node returning a binary file — this is the specific vulnerable workflow configuration.
  • Treat high-volume request bursts to n8n endpoints from coordinated infrastructure as active exploitation; GreyNoise observed 83,334 exploitation attempts from a single /24 block within the analysis window.
  • Use the Metasploit auxiliary module `auxiliary/gather/ni8mare_cve_2026_21858` as a reference for the exploit's request structure to build network-level detection signatures.
  • ·Restrict or disable publicly accessible webhook and form endpoints as a temporary mitigation if upgrading to 1.121.0+ is not immediately possible.
  • ·The vulnerability only manifests in workflows with the specific combination of a Form Submission trigger with a file element and a Form Ending node returning a binary file; audit active workflows for this pattern.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.