Cyber Posture

CVE-2026-21858

CriticalPublic PoC

Published: 08 January 2026

Published
08 January 2026
Modified
16 January 2026
KEV Added
Patch
CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
EPSS Score 0.0663 91.3th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Description

n8n is an open source workflow automation platform. Versions starting with 1.65.0 and below 1.121.0 enable an attacker to access files on the underlying server through execution of certain form-based workflows. A vulnerable workflow could grant access to an unauthenticated…

more

remote attacker, resulting in exposure of sensitive information stored on the system and may enable further compromise depending on deployment configuration and workflow usage. This issue is fixed in version 1.121.0.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Requires timely patching of the n8n vulnerability fixed in version 1.121.0 to eliminate unauthorized file access via form-based workflows.

SI-10 Information Input Validation good match
prevent

Directly addresses the improper input validation (CWE-20) root cause by requiring validation of workflow inputs to block exploitation leading to server file access.

AC-3 Access Enforcement partial match
prevent

Enforces access control policies to restrict unauthenticated attackers from accessing sensitive files on the underlying server through vulnerable workflows.

Security SummaryAI

CVE-2026-21858 is a critical vulnerability in n8n, an open source workflow automation platform. It affects versions starting from 1.65.0 up to but not including 1.121.0, where certain form-based workflows enable an attacker to access files on the underlying server. The issue stems from improper input validation (CWE-20) and carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N), indicating high confidentiality and integrity impacts with no availability disruption.

An unauthenticated remote attacker can exploit the vulnerability by executing a vulnerable workflow, gaining unauthorized access to sensitive files on the server. This exposure can reveal confidential data and potentially lead to further system compromise, depending on the deployment configuration and specific workflow usage.

The vulnerability is addressed in n8n version 1.121.0. Official mitigation guidance is available in the GitHub security advisory at https://github.com/n8n-io/n8n/security/advisories/GHSA-v4pr-fm98-w9pg, with additional details provided by Cyera Research Labs at https://www.cyera.com/research-labs/ni8mare-unauthenticated-remote-code-execution-in-n8n-cve-2026-21858. Security practitioners should prioritize upgrading affected instances and reviewing exposed workflows.

Details

CWE(s)
CWE-20

Affected Products

n8n
n8n
1.65.0 — 1.121.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
attack.mitre.org →
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
Why these techniques?

The vulnerability allows unauthenticated remote exploitation of a public-facing web application (n8n) to access arbitrary files on the server, directly mapping to T1190 (Exploit Public-Facing Application) for initial access and T1083/T1005 (File and Directory Discovery/Data from Local System) for collection.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References