AI description
CVE-2026-21858, dubbed "Ni8mare" by Cyera Research Labs, is a critical vulnerability found in the n8n workflow automation platform. The flaw stems from a "Content-Type confusion" issue within the `formWebhook()` function, which is responsible for handling form submissions. This function fails to adequately verify that the incoming HTTP request's `Content-Type` header is set to "multipart/form-data" before processing files. This oversight allows an unauthenticated attacker to manipulate the `req.body.files` object by sending specially crafted requests. By exploiting this, an attacker can achieve arbitrary file reads from the n8n server and potentially escalate their access to execute arbitrary commands on the underlying system. The vulnerability affects n8n versions up to and including 1.65.0 and was addressed in version 1.121.0, released on November 18, 2025.
- Description
- n8n is an open source workflow automation platform. Versions starting with 1.65.0 and below 1.121.0 enable an attacker to access files on the underlying server through execution of certain form-based workflows. A vulnerable workflow could grant access to an unauthenticated remote attacker, resulting in exposure of sensitive information stored on the system and may enable further compromise depending on deployment configuration and workflow usage. This issue is fixed in version 1.121.0.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
- Products
- n8n
CVSS 3.1
- Type
- Secondary
- Base score
- 10
- Impact score
- 5.8
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
- Severity
- CRITICAL
- security-advisories@github.com
- CWE-20
- Hype score
- Not currently trending
New TALON report: Critical vulnerabilities in #n8n workflow automation. CVE-2025-68613 and CVE-2026-21858 could be chained to increase security risk. 👉 Learn more: https://t.co/GlqBXbZB0N https://t.co/y1Jd78MfJF
@S2W_Official
11 Feb 2026
147 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
CVE-2026-21858+ CVE-2025-68613: n8n Ni8mare - Full Chain Exploit Unauthenticated to Root RCE: - LFI via Content-Type confusion Read/proc/self/environ to find HOME - Steal encryption key + database - Forge admin WT token - Expression injection sandbox bypass RCE as root ht
@Danodi_j6
6 Feb 2026
77 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
IMPORTANT: Upgrade your self hosted n8n! All supported versions prior to 2.0.0 are affected. CVE-2025-68613 https://t.co/v5KUleCXlR CVE-2025-68668 https://t.co/PW7rPZkWK6 CVE-2026-21858 https://t.co/GK2twlNwnR CVE-2026-21877 https://t.co/DLDO9vYlfa
@igz4rd
28 Jan 2026
47 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
RCE Chain en n8n: Del Zero-Access al Root (CVE-2026-21858 + CVE-2025-68613) #ciberseguridad #hacking https://t.co/OnISVZ3vPm
@FredyBahenaM
11 Jan 2026
81 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Critical RCE vulns hitting hard: Trend Micro Apex Central (CVE-2025-69258 PoC out) & HPE OneView (CVE-2025-37164 in CISA KEV). Plus, n8n’s “Ni8mare” (CVE-2026-21858, CVSS 10) fueling cloud intrusions. #CyberSecurity
@huntthethreat
11 Jan 2026
0 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2026-21858 + CVE-2025-68613 - n8n Full Chain https://t.co/HLIqfT3D4I #exploit #exploitation #cve #cybersecurity #informationsecurity #ai https://t.co/YtBwvCMR9R
@blackstormsecbr
10 Jan 2026
144 Impressions
1 Retweet
3 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2026-21858 + CVE-2025-68613: n8n Ni8mare - Full Chain Exploit Unauthenticated to Root RCE: - LFI via Content-Type confusion - Read /proc/self/environ to find HOME - Steal encryption key + database - Forge admin JWT token - Expression injection sandbox bypass - RCE as root ht
@HackingTeam777
9 Jan 2026
10183 Impressions
45 Retweets
218 Likes
97 Bookmarks
5 Replies
2 Quotes
C'est un beau début d'année pour la FrenchTech avec : 💥 Vulns CVE-2026-21858 et CVE-2025-68613 n8n par @Chocapikk 💥 Vuln Livewire CVE-2025-54068* par @_Worty et @_remsio_ Bravo à vous 🎉 et bonne année 2026 😄 *allez.... fin 2025 c'est presque début 2026 😅
@mynameisv_
9 Jan 2026
424 Impressions
0 Retweets
6 Likes
0 Bookmarks
4 Replies
0 Quotes
CVE-2026-21858 + CVE-2025-68613: n8n Ni8mare - Full Chain Exploit Unauthenticated to Root RCE: - LFI via Content-Type confusion - Read /proc/self/environ to find HOME - Steal encryption key + database - Forge admin JWT token - Expression injection sandbox bypass - RCE as root ht
@Hackervidya
8 Jan 2026
68 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2026-21858 + CVE-2025-68613: n8n Ni8mare - Full Chain Exploit Unauthenticated to Root RCE: - LFI via Content-Type confusion - Read /proc/self/environ to find HOME - Steal encryption key + database - Forge admin JWT token - Expression injection sandbox bypass - RCE as root ht
@Chocapikk_
7 Jan 2026
36101 Impressions
146 Retweets
596 Likes
318 Bookmarks
8 Replies
8 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*",
"vulnerable": true,
"matchCriteriaId": "A90AFDBB-31A3-41C0-8E53-8D10D9FB47C3",
"versionEndExcluding": "1.121.0",
"versionStartIncluding": "1.65.0"
}
],
"operator": "OR"
}
]
}
]