{"id":18782,"date":"2026-01-09T04:11:52","date_gmt":"2026-01-09T04:11:52","guid":{"rendered":"https:\/\/sekuritasit.com\/?p=18782"},"modified":"2026-01-09T04:11:52","modified_gmt":"2026-01-09T04:11:52","slug":"n8n-unauthenticated-remote-code-execution","status":"publish","type":"post","link":"https:\/\/sekuritasit.com\/index.php\/2026\/01\/09\/n8n-unauthenticated-remote-code-execution\/","title":{"rendered":"n8n Unauthenticated Remote Code Execution"},"content":{"rendered":"\n\n\n\n <\/colgroup>\n\n\n\n\n
\n

\n What is the Vulnerability?\n <\/p>\n<\/td>\n

\n

\n CVE-2026-21858 arises from a Content-Type confusion flaw in n8n\u2019s webhook and form handling logic. Specifically, certain form-based workflows do not adequately validate or enforce multipart form content types, allowing attackers to override internal request parsing state. This allows unauthenticated attackers to:<\/p>\n

– Read arbitrary files from the server filesystem
\n
\n – Extract sensitive internal secrets (e.g., database files, auth keys)
\n
\n – Forge valid authentication sessions
\n
\n – Construct workflows that execute arbitrary operating system commands
\n
\n – Fully compromise the host, leading to complete server takeover<\/p>\n

The issue stems from improper input validation (CWE-20) and flawed logic in how webhook payloads are parsed and handled, enabling manipulation of internal variables that control file handling.<\/p>\n

Censys telemetry reports an estimated tens of thousands (26,512) of potentially exposed and vulnerable n8n instances when queried across the public internet via service detection.<\/p>\n

While no confirmed widespread exploitation campaigns have been documented at the time of disclosure, the unauthenticated nature and straightforward exploitability make this highly likely to be weaponized rapidly by scanning and exploitation tools.\n <\/p>\n<\/td>\n<\/tr>\n

\n

\n What is the recommended Mitigation?\n <\/p>\n<\/td>\n

\n

\n Immediate upgrade to n8n version 1.121.0 or later – which includes fixes for CVE-2026-21858. Official hardening guidance:
\n
\n https:\/\/docs.n8n.io\/hosting\/securing\/blocking-nodes\/
\n <\/a><\/p>\n

– Restrict or disable internet exposure of n8n webhook\/form endpoints.
\n
\n – Enforce authentication for all form submissions and webhooks.
\n
\n – Audit logs for suspicious access patterns to webhook endpoints.
\n
\n – Rotate any credentials (API keys, tokens) stored in affected n8n instances.
\n
\n – Block high-risk nodes using n8n\u2019s built-in node-blocking capabilities.\n <\/p>\n<\/td>\n<\/tr>\n

\n

\n What FortiGuard Coverage is available?\n <\/p>\n<\/td>\n

\n