cbcvebase.
CVE-2026-21877
published 2026-01-08

CVE-2026-21877: n8n is an open source workflow automation platform. In versions 0.121.2 and below, an authenticated attacker may be able to execute malicious code using the…

PriorityP276critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EXPLOIT
EPSS
5.26%
91.5th percentile
n8n is an open source workflow automation platform. In versions 0.121.2 and below, an authenticated attacker may be able to execute malicious code using the n8n service. This could result in full compromise and can impact both self-hosted and n8n Cloud instances. This issue is fixed in version 1.121.3. Administrators can reduce exposure by disabling the Git node and limiting access for untrusted users, but upgrading to the latest version is recommended.

Affected

3 ranges
VendorProductVersion rangeFixed in
n8n-ion8n< 1.121.31.121.3
n8nn8n>= 0.123.0 < 1.121.31.121.3
n8nn8n>= 0.123.0 < 1.121.31.121.3

Detection & IOCsextracted from sources · hover to see the quote

path/form/
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS n8n Ni8mare Content-Type Confusion Multipart Form Bypass (CVE-2026-21877) M1"; flow:established,to_server; http.request_body; content:"|22|executionId|22 3a|"; fast_pattern; content:"|22|files|22 3a|"; content:"|22|filepath|22 3a|"; pcre:"/^\s*\x22[^\x22]*?\x2f/R"; http.uri; content:"/form/"; startswith; http.content_type; content:"application/json"; http.method; content:"POST"; reference:url,www.cyera.com/research-labs/ni8mare-unauthenticated-remote-code-execution-in-n8n-cve-2026-21858; reference:cve,2026-21877; classtype:web-application-attack; sid:2066610; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2026_01_07, cve CVE_2026_21877, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2026_01_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit targets the /form/ URI endpoint via HTTP POST with Content-Type: application/json — a Content-Type confusion bypass against a multipart form handler. Look for POST requests to paths beginning with /form/ carrying application/json content-type.
  • Request body contains JSON keys 'executionId', 'files', and 'filepath' with a filepath value beginning with a forward slash — indicative of path traversal or arbitrary file reference in the exploit payload.
  • Nuclei template fingerprints vulnerable n8n instances by extracting the version from a base64-encoded Sentry config meta tag. Versions >= 0.123.0 and < 1.121.3 are flagged as vulnerable.
  • n8n version can be extracted from the HTML meta tag 'n8n:config:sentry' whose content is base64-encoded and contains the string 'n8n@<version>'. Use this for passive version detection on exposed n8n instances.
  • The vulnerability is described as an unauthenticated RCE ("Ni8mare") — despite the NVD entry stating authenticated. Network-level detections should treat exploitation attempts from any source IP as high severity.
  • ·NVD describes the vulnerability as requiring authentication, but the Snort rule and Cyera research reference it as 'Ni8mare Unauthenticated Remote Code Execution'. Detections should not assume authentication is a reliable barrier.
  • ·The Nuclei template vulnerable version range is >= 0.123.0 and < 1.121.3. Note the NVD entry states affected versions are 0.121.2 and below — there is a discrepancy between sources; use the Nuclei range for detection tuning until clarified.
  • ·Administrators can reduce exposure by disabling the Git node and limiting access for untrusted users, but this is not a full mitigation — upgrading to 1.121.3 is required.
  • ·The Snort rule (sid:2066610) requires TLS decryption for full efficacy on HTTPS-protected n8n deployments, as indicated by the deployment metadata.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.