Cybersecurity researchers have revealed details of another maximum-severe security flaw in n8n, a popular workflow automation platform, that allows an unauthenticated remote attacker to gain full control over vulnerable instances.
Vulnerability, tracked as CVE-2026-21858 (CVSS Score: 10.0), codenamed Ni8mare By Cyra Research Labs. Security researcher Dor Attias is honored for discovering and reporting the flaw on November 9, 2025.
“A vulnerability in n8n allows an attacker to access files on the underlying server through the execution of certain forms-based workflows,” n8n said in an advisory published today. “An unsecured workflow could provide access to an unauthenticated remote attacker. This could result in sensitive information stored on the system being exposed and further compromise depending on deployment configuration and workflow usage.”
With the latest development, n8n has disclosed four critical vulnerabilities in the last two weeks –
- CVE-2025-68613 (CVSS Score: 9.9) – Improper control of dynamically managed code resources that could allow authenticated attackers to achieve remote code execution (RCE) under certain conditions (fixed in versions 1.120.4, 1.121.1, and 1.122.0)
- CVE-2025-68668 or N8scape (CVSS score: 9.9) – a sandbox bypass vulnerability that could allow an authenticated user to create or modify a workflow to execute arbitrary commands on a host system running n8n (fixed in version 2.0.0)
- CVE-2026-21877 (CVSS Score: 10.0) – Unrestricted upload of a file containing a dangerous type of vulnerability that could allow an authenticated attacker to execute untrusted code via the n8n service, leading to full compromise of the instance (fixed in version 1.121.3)
However, unlike these flaws, CVE-2026-21858 does not require any credentials and leverages the “Content-Type” confusion flaw to extract sensitive secrets, gain administrator access, and even execute arbitrary commands on the server.
The vulnerability affects all versions of n8n before and including 1.65.0. This has been addressed in version 1.121.0, released on November 18, 2025. It is worth noting that the latest versions of the library are 1.123.10, 2.1.5, 2.2.4 and 2.3.0.
According to the technical details shared by Cyra with The Hacker News, the root of the problem lies in n8n webhooks and file handling mechanisms. Webhooks, which are important for retrieving data from apps and services when certain events occur, are triggered after the incoming request is parsed using a function called “parseRequestBody()”.
Specifically, the function is designed to read the “Content-Type” header in the request and invoke another function to parse the request body –
- If the “Content-Type” header is “Multipart/Form-Data”, which denotes form data, use parseFormData(), aka “file upload parser”.
- For all other content types use parseBody() aka “regular body parser”
The file upload parser, in turn, uses the parse() function associated with Formidable, a Node.js module, to parse the form data, and stores the decoded result in a global variable called “req.body.files”. This populated data is processed by a webhook, which only runs if the “Content-Type” header is set to “Multipart/Form-Data”.
In contrast, the regular body parser processes the incoming HTTP request body and stores the extracted data in a separate global variable called “req.body”.
CVE-2026-21858 occurs when a file-handling function is run without first verifying that the content-type is “multipart/form-data”, which potentially allows an attacker to override req.body.files. Saira said she found such a weak flow in the function handling form submission (“formWebhook()”), which invokes the file-handling function (“copyBinaryFile()”) to act on “req.body.files”.
“The problem here is: because this function is called without verifying the content type ‘multipart/form-data’, we control the entire req.body.files object,” Attias said. “This means we control the filepath parameter – so instead of copying an uploaded file, we can copy any local file from the system.”
“Result? Any node after the form node receives the contents of the local file instead of the content uploaded by the user.”
As for how the attack might occur, consider a website that has a chat interface to provide information about various products based on product specification files uploaded to an organizational knowledge base using a forms workflow. With this setup, a bad actor can take advantage of the security hole to read arbitrary files from the n8n instance and forward it to RCE by performing the following steps −
- Use arbitrary read primitives to access the database located at “/home/node/.n8n/database.sqlite” and load it into the knowledge-base
- Extract the administrator’s user ID, email, and hashed password using the chat interface
- Again use the arbitrary read primitive to load the configuration file located at “/home/node/.n8n/config” and extract the encryption secret key
- Use the obtained user and key information to create a fake session cookie and gain administrator access, thereby bypassing authentication.
- Get RCE by creating a new workflow with “Execute Command” node
“The blast radius of a compromised n8n is very large,” Cyra said. “A compromised n8n instance doesn’t just mean losing a system – it means handing over the keys to everything to attackers. API credentials, OAuth tokens, database connections, cloud storage – all centralized in one place. n8n becomes a single point of failure and a goldmine for threat actors.”
Given the severity of the flaw, users are advised to upgrade to the patched version or later as soon as possible for optimal security, avoid exposing n8n to the Internet, and enforce authentication for all forms. As a temporary solution, it is recommended to restrict or disable publicly accessible webhooks and form endpoints.
