CVE-2026-21858 Scanner (Version Based)

n8n is an open-source workflow automation platform designed to help organizations connect applications, automate processes, and orchestrate data flows with minimal friction. The platform is widely used by developers, DevOps teams, and enterprises to build complex automation workflows without extensive coding knowledge. With over 100 million Docker pulls and thousands of enterprises using it, n8n has become a central nervous system for automation infrastructure. The platform offers a user-friendly drag-and-drop interface with hundreds of integrations for various services and APIs. Due to its flexibility and extensibility, n8n often serves as a central automation layer bridging internal systems and external services. Organizations commonly deploy n8n for tasks ranging from data synchronization to AI-powered workflow automation.

CVE-2026-21858, also known as Ni8mare, is a critical unauthenticated remote code execution vulnerability affecting n8n versions 1.65.0 through 1.120.x. The vulnerability stems from improper handling of Content-Type headers in webhook request processing, leading to a Content-Type confusion attack. This flaw allows unauthenticated attackers to bypass file upload security controls and read arbitrary files from the server. By exploiting this vulnerability, attackers can extract sensitive information including the n8n SQLite database and encryption secrets. The extracted credentials enable attackers to forge authentication cookies and gain administrative access to the n8n instance. Ultimately, this leads to full remote code execution through n8n's built-in workflow execution capabilities.

The vulnerability exists in the parseRequestBody() middleware function that processes incoming webhook requests. When a request arrives, this function inspects the Content-Type header to determine which parsing routine to apply. For multipart/form-data requests, it delegates to parseFormData() which safely handles file uploads through Formidable library. However, by sending a request with a different content type such as application/json, attackers can force the use of parseBody() instead. The parseBody() function directly assigns attacker-controlled input to req.body without file handling safeguards, allowing injection of arbitrary file paths. The formWebhook handler then processes these injected paths through copyBinaryFile() without validating their origin, resulting in arbitrary file read capability.

Successful exploitation of this vulnerability can result in complete system compromise with severe consequences. Attackers can read any file accessible to the n8n process, including configuration files, database contents, and encryption secrets. With access to the n8n SQLite database and signing secret, attackers can forge valid session cookies and bypass authentication entirely. Once authenticated as an administrator, attackers can create workflows using built-in nodes like Execute Command to achieve arbitrary code execution. This grants full control over the n8n server and potentially any connected systems, APIs, and services. All credentials, API tokens, OAuth secrets, and database connections stored in n8n become accessible to the attacker.

REFERENCES

• https://github.com/n8n-io/n8n/security/advisories/GHSA-v4pr-fm98-w9pg
• https://nvd.nist.gov/vuln/detail/CVE-2026-21858
• https://www.cyera.com/research-labs/ni8mare-unauthenticated-remote-code-execution-in-n8n-cve-2026-21858
• https://thehackernews.com/2026/01/critical-n8n-vulnerability-cvss-100.html