CVE-2026-21858 Overview
CVE-2026-21858 is an improper input validation vulnerability in n8n, an open source workflow automation platform. Versions starting with 1.65.0 and below 1.121.0 enable an attacker to access files on the underlying server through execution of certain form-based workflows. A vulnerable workflow could grant access to an unauthenticated remote attacker, resulting in exposure of sensitive information stored on the system and may enable further compromise depending on deployment configuration and workflow usage.
Critical Impact
This vulnerability allows unauthenticated remote attackers to read arbitrary files from the server through specially crafted form-based workflows, potentially exposing sensitive configuration files, credentials, and other confidential data.
Affected Products
- n8n versions >= 1.65.0 and < 1.121.0
Discovery Timeline
- 2026-01-08 - CVE CVE-2026-21858 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2026-21858
Vulnerability Analysis
This vulnerability is classified as CWE-20 (Improper Input Validation) and allows attackers to exploit form-based workflows within the n8n platform to gain unauthorized file system access. The vulnerability is particularly severe because it can be exploited without authentication, meaning any attacker with network access to a vulnerable n8n instance can potentially read sensitive files from the underlying server.
The attack can be executed remotely over the network with low complexity and requires no special privileges or user interaction. The scope of the vulnerability extends beyond the vulnerable component itself, meaning a successful exploit could potentially affect other resources on the system. The impact includes high confidentiality and integrity breaches, as attackers can read sensitive files and potentially leverage this access for further compromise.
Root Cause
The root cause of this vulnerability stems from improper input validation in the form-based workflow execution functionality. The n8n platform fails to adequately validate or sanitize inputs when processing certain form-based workflows, allowing attackers to manipulate these workflows to access files outside the intended scope. This lack of proper input validation enables path traversal or similar file access attacks through the workflow execution engine.
Attack Vector
The attack is network-based and can be performed by unauthenticated remote attackers. The exploitation process involves:
- An attacker identifies a vulnerable n8n instance running a version between 1.65.0 and 1.121.0
- The attacker crafts or triggers execution of a malicious form-based workflow
- The vulnerable workflow processing allows file system access due to improper input validation
- Sensitive files on the server are exposed to the attacker
- Depending on the deployment configuration and contents of exposed files, the attacker may leverage this information for further attacks
The vulnerability is exploitable through the form-based workflow functionality without requiring any prior authentication. For detailed technical information, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-21858
Indicators of Compromise
- Unusual file access patterns in server logs, particularly requests for sensitive system files
- Unexpected workflow executions, especially form-based workflows from unknown sources
- Evidence of path traversal sequences in workflow parameters or API requests
- Access attempts to configuration files, credential stores, or other sensitive directories
- Network connections from suspicious IP addresses to the n8n service
Detection Strategies
- Monitor n8n application logs for anomalous workflow execution patterns
- Implement file integrity monitoring on sensitive server files
- Deploy network intrusion detection systems (IDS) to identify suspicious traffic patterns targeting the n8n instance
- Review workflow audit logs for unauthorized or unexpected form-based workflow creation and execution
- Set up alerts for access attempts to sensitive file paths through the application
Monitoring Recommendations
- Enable comprehensive logging for all workflow executions in n8n
- Monitor server file system access logs for unauthorized read operations
- Implement real-time alerting for any access to sensitive configuration files
- Regularly review n8n access logs for unauthenticated requests to workflow endpoints
How to Mitigate CVE-2026-21858
Immediate Actions Required
- Upgrade n8n immediately to version 1.121.0 or later
- Audit existing form-based workflows for any signs of compromise or malicious modifications
- Review server logs for indicators of exploitation attempts
- Restrict network access to the n8n instance to trusted IP addresses only until patching is complete
- Consider temporarily disabling form-based workflows if immediate upgrade is not possible
Patch Information
The vulnerability has been fixed in n8n version 1.121.0. Organizations running affected versions (between 1.65.0 and 1.121.0) should upgrade to the patched version immediately. The security advisory is available at the GitHub Security Advisory page.
Workarounds
- Implement network-level access controls to restrict access to the n8n instance
- Use a web application firewall (WAF) to filter potentially malicious requests
- Disable or restrict form-based workflows until the upgrade can be applied
- Run n8n in a containerized environment with limited file system access
- Implement strict file system permissions to limit the impact of potential exploitation
# Example: Restrict network access to n8n using iptables
# Allow only trusted IP ranges to access n8n service port
iptables -A INPUT -p tcp --dport 5678 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 5678 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
