CVE-2026-21877
published 2026-01-08CVE-2026-21877: n8n is an open source workflow automation platform. In versions 0.121.2 and below, an authenticated attacker may be able to execute malicious code using the…
PriorityP276critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EXPLOIT
EPSS
5.26%
91.5th percentile
n8n is an open source workflow automation platform. In versions 0.121.2 and below, an authenticated attacker may be able to execute malicious code using the n8n service. This could result in full compromise and can impact both self-hosted and n8n Cloud instances. This issue is fixed in version 1.121.3. Administrators can reduce exposure by disabling the Git node and limiting access for untrusted users, but upgrading to the latest version is recommended.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| n8n-io | n8n | < 1.121.3 | 1.121.3 |
| n8n | n8n | >= 0.123.0 < 1.121.3 | 1.121.3 |
| n8n | n8n | >= 0.123.0 < 1.121.3 | 1.121.3 |
Detection & IOCsextracted from sources · hover to see the quote
path/form/
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS n8n Ni8mare Content-Type Confusion Multipart Form Bypass (CVE-2026-21877) M1"; flow:established,to_server; http.request_body; content:"|22|executionId|22 3a|"; fast_pattern; content:"|22|files|22 3a|"; content:"|22|filepath|22 3a|"; pcre:"/^\s*\x22[^\x22]*?\x2f/R"; http.uri; content:"/form/"; startswith; http.content_type; content:"application/json"; http.method; content:"POST"; reference:url,www.cyera.com/research-labs/ni8mare-unauthenticated-remote-code-execution-in-n8n-cve-2026-21858; reference:cve,2026-21877; classtype:web-application-attack; sid:2066610; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2026_01_07, cve CVE_2026_21877, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2026_01_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit targets the /form/ URI endpoint via HTTP POST with Content-Type: application/json — a Content-Type confusion bypass against a multipart form handler. Look for POST requests to paths beginning with /form/ carrying application/json content-type.
- →Request body contains JSON keys 'executionId', 'files', and 'filepath' with a filepath value beginning with a forward slash — indicative of path traversal or arbitrary file reference in the exploit payload.
- →Nuclei template fingerprints vulnerable n8n instances by extracting the version from a base64-encoded Sentry config meta tag. Versions >= 0.123.0 and < 1.121.3 are flagged as vulnerable.
- →n8n version can be extracted from the HTML meta tag 'n8n:config:sentry' whose content is base64-encoded and contains the string 'n8n@<version>'. Use this for passive version detection on exposed n8n instances.
- →The vulnerability is described as an unauthenticated RCE ("Ni8mare") — despite the NVD entry stating authenticated. Network-level detections should treat exploitation attempts from any source IP as high severity.
- ·NVD describes the vulnerability as requiring authentication, but the Snort rule and Cyera research reference it as 'Ni8mare Unauthenticated Remote Code Execution'. Detections should not assume authentication is a reliable barrier. ↗
- ·The Nuclei template vulnerable version range is >= 0.123.0 and < 1.121.3. Note the NVD entry states affected versions are 0.121.2 and below — there is a discrepancy between sources; use the Nuclei range for detection tuning until clarified.
- ·Administrators can reduce exposure by disabling the Git node and limiting access for untrusted users, but this is not a full mitigation — upgrading to 1.121.3 is required. ↗
- ·The Snort rule (sid:2066610) requires TLS decryption for full efficacy on HTTPS-protected n8n deployments, as indicated by the deployment metadata.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
n8n Vulnerable to RCE via Arbitrary File Write
ghsa·2026-01-06
CVE-2026-21877 [CRITICAL] CWE-434 n8n Vulnerable to RCE via Arbitrary File Write
n8n Vulnerable to RCE via Arbitrary File Write
### Impact
n8n is affected by an authenticated Remote Code Execution (RCE) vulnerability.
Under certain conditions, an authenticated user may be able to cause untrusted code to be executed by the n8n service. This could result in full compromise of the affected instance.
Both self-hosted and n8n Cloud instances are impacted.
### Patches
The issue has been resolved in n8n version 1.121.3.
Users are advised to upgrade to this version or later to fully address the vulnerability.
### Workarounds
If upgrading is not immediately possible, administrators can reduce exposure by disabling the Git node and limiting access for untrusted users.
### References
- n8n documentation: [Blocking access to nodes](https://docs.n8n.io/hosting/securing/block
OSV
n8n Vulnerable to RCE via Arbitrary File Write
osv·2026-01-06
CVE-2026-21877 [CRITICAL] n8n Vulnerable to RCE via Arbitrary File Write
n8n Vulnerable to RCE via Arbitrary File Write
### Impact
n8n is affected by an authenticated Remote Code Execution (RCE) vulnerability.
Under certain conditions, an authenticated user may be able to cause untrusted code to be executed by the n8n service. This could result in full compromise of the affected instance.
Both self-hosted and n8n Cloud instances are impacted.
### Patches
The issue has been resolved in n8n version 1.121.3.
Users are advised to upgrade to this version or later to fully address the vulnerability.
### Workarounds
If upgrading is not immediately possible, administrators can reduce exposure by disabling the Git node and limiting access for untrusted users.
### References
- n8n documentation: [Blocking access to nodes](https://docs.n8n.io/hosting/securing/block
Suricata
ET WEB_SPECIFIC_APPS n8n Ni8mare Content-Type Confusion Multipart Form Bypass (CVE-2026-21877) M1
suricata·2026-01-07·CVSS 9.9
CVE-2026-21877 [CRITICAL] ET WEB_SPECIFIC_APPS n8n Ni8mare Content-Type Confusion Multipart Form Bypass (CVE-2026-21877) M1
ET WEB_SPECIFIC_APPS n8n Ni8mare Content-Type Confusion Multipart Form Bypass (CVE-2026-21877) M1
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS n8n Ni8mare Content-Type Confusion Multipart Form Bypass (CVE-2026-21877) M1"; flow:established,to_server; http.request_body; content:"|22|executionId|22 3a|"; fast_pattern; content:"|22|files|22 3a|"; content:"|22|filepath|22 3a|"; pcre:"/^\s*\x22[^\x22]*?\x2f/R"; http.uri; content:"/form/"; startswith; http.content_type; content:"application/json"; http.method; content:"POST"; reference:url,www.cyera.com/research-labs/ni8mare-unauthenticated-remote-code-execution-in-n8n-cve-2026-21858; reference:cve,2026-21877; classtype:web-application-attack; sid:2066610; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, create
Nuclei
n8n >= 0.123.0 and < 1.121.3 - Remote Code Execution
nuclei·CVSS 9.9
CVE-2026-21877 [CRITICAL] n8n >= 0.123.0 and < 1.121.3 - Remote Code Execution
n8n >= 0.123.0 and = 0.123.0 and = 0.123.0 and = 0.123.0 and n8n.io"
case-insensitive: true
- type: dsl
name: vulnerable
dsl:
- compare_versions(version, '>= 0.123.0', '< 1.121.3')
- type: status
status:
- 200
extractors:
- type: regex
name: base64_content
group: 1
regex:
- '<meta name="n8n:config:sentry" content="([A-Za-z0-9+/=]+)"'
internal: true
- type: dsl
name: version
dsl:
- 'replace_regex(base64_decode(base64_content), ".*n8n@([0-9]+\\.[0-9]+\\.[0-9]+).*", "$1")'
internal: true
- type: dsl
dsl:
- '"n8n Version: " + version'
# digest: 4b0a00483046022100a5ca4af118341bf59e4ca866ec1431406901148e2c95fcdf20b6b77880402f49022100a73d35829b0ed8eac32f6eac0d5876231c98cd87d9855f219ae47eac90e2762c:922c64590222798bb761d5b6d8e72950
Wiz
CVE-2026-21877 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.9
CVE-2026-21877 [CRITICAL] CVE-2026-21877 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21877 :
NixOS vulnerability analysis and mitigation
n8n is an open source workflow automation platform. In versions 0.121.2 and below, an authenticated attacker may be able to execute malicious code using the n8n service. This could result in full compromise and can impact both self-hosted and n8n Cloud instances. This issue is fixed in version 1.121.3. Administrators can reduce exposure by disabling the Git node and limiting access for untrusted users, but upgrading to the latest version is recommended.
Source : NVD
## 9.9
Score
Published January 8, 2026
Severity CRITICAL
CNA Score 9.9
Affected Technologies
NixOS
n8n
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 94.3
Greynoiseio
NoiseLetter February 2026
blogs_greynoiseio
NoiseLetter February 2026
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2026-01-08
Published