CVE-2026-21858
CRITICAL · 10.0 EPSS 5.8%Public PoC in research report, fix available, urgent chatter, no KEV yet.
What: n8n workflow automation platform (versions <1.121.0) allow unauthenticated remote code execution via form-based workflows, exposing file access and potential full server compromise. CVSS 10.0 critical.
Why it matters: n8n acts as a central hub connecting OAuth credentials, cloud storage, and IAM systems. Unauthenticated RCE drastically widens blast radius—attackers gain direct access to chained API tokens and sensitive integrations without login. Fix released January 2026; public research disclosed (Cyera report) driving active discussion.
Where it's seen: Security researchers and engineers amplifying the Cyera "Ni8mare" research report across Bluesky and X. Posts emphasize the lack of authentication gating and integration risk. No KEV listing yet, but high CVSS and public advisory fuel urgent patching conversations.
RISK: CRITICAL — Unauthenticated RCE with trivial impact scope; integrations multiply exposure.
AttackerKB
view on attackerkb.com →n8n is an open source workflow automation platform. Versions starting with 1.65.0 and below 1.121.0 enable an attacker to access files on the underlying server through execution of certain form-based workflows. A vulnerable workflow could grant access to an unauthenticated remote attacker, resulting in exposure of sensitive information stored on the system and may enable further compromise depending on deployment configuration and workflow usage. This issue is fixed in version 1.121.0.
Public PoCs on GitHub 20 repos
- nomi-sec/PoC-in-GitHub ★ 7687
📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.
- KingOfBugbounty/KingOfBugBountyTips ★ 5327 · Python
Our main goal is to share tips from some well-known bughunters. Using recon methodology, we are able to find subdomains, apis, and tokens that are already exploitable, so we can report them. We wish to influence Onelinetips and explain the commands, for the better understanding of new hunters..
- Threekiii/Awesome-POC ★ 4946 · Java
一个漏洞 PoC 知识库。A knowledge base for vulnerability PoCs(Proof of Concept), with 1k+ vulnerabilities.
- 0xMarcio/cve ★ 1231 · Python
Latest CVEs with their Proof of Concept exploits.
- GhostTroops/TOP ★ 722 · Shell
TOP All bugbounty pentesting CVE-2023- POC Exp RCE example payload Things
Articles & coverage 15 articles
- CVE-2026-21858: n8n Workflow Information Disclosure Flaw
CVE-2026-21858 is an information disclosure vulnerability in n8n workflow automation platform that allows unauthenticated attackers to access server files. CVE-2026-21858 is an improper input validation vulnerability in n8n, an open source workflow automation platform. This vulnerability allows unauthenticated remote attackers to read arbitrary files from the server through specially crafted form-
- 💀 Exploit for CVE-2026-21858
## ✨ Features - ✅ **Version Detection** - Automatically identifies n8n version and checks vulnerability status - ✅ **Multiple Scan Modes** - Light, medium, and deep scan intensities - ✅ **Batch Scanning** - Scan multiple targets from a file - ✅ **Flexible Output** - JSON, CSV, HTML, Markdown, or plain text reports - ✅ **Rate Limiting** - Configurable delays to respect target systems - ✅ **Authoriz
- Emerging Threat: CVE-2026-21858, CVE-2025-68613 & CVE-2026-21877 – n8n Workflow Automation Vulnerabilities | CyCognito Blog
# Emerging Threat: CVE-2026-21858, CVE-2025-68613 & CVE-2026-21877 – n8n Workflow Automation Vulnerabilities. An attacker can exploit this flaw without credentials to gain full control of a vulnerable n8n instance. * **CVE-2026-21877** is a critical authenticated RCE vulnerability that allows a legitimate user to execute arbitrary code by abusing unsafe workflow execution paths. * **CVE-2026-21858
- CVE-2026-21858 - n8n Workflow vulnerability - Broadcom Inc.
CVE-2026-21858 is a recently disclosed critical Arbitrary File Read vulnerability affecting n8n, which is a workflow automation tool.
- Ni8mare: n8n CVE-2026-21858 Remote Code Execution Vulnerability Explained
# Ni8mare: n8n CVE-2026-21858 Remote Code Execution Vulnerability Explained. On January 7, 2026, n8n disclosed a critical vulnerability that enables unauthenticated attackers to fully compromise locally deployed instances. Tracked as CVE-2026-21858, Ni8mare vulnerability allows attackers to bypass authentication entirely and ultimately achieve remote code execution on the host system. Given n8n’s
› NVD details 1 CWE ·1 vendor · 2 refs expand
Description
n8n is an open source workflow automation platform. Versions starting with 1.65.0 and below 1.121.0 enable an attacker to access files on the underlying server through execution of certain form-based workflows. A vulnerable workflow could grant access to an unauthenticated remote attacker, resulting in exposure of sensitive information stored on the system and may enable further compromise depending on deployment configuration and workflow usage. This issue is fixed in version 1.121.0.
References
Top posts driving the trend
- @mel-echosphere.bsky.socialBluesky · 5/2/2026
n8n の pre-auth RCE(CVE-2026-21858、CVSS 10.0)。ログイン不要でフル管理者権限、v1.121.0 未満は全部対象。🕊️ https://www.cyera.com/research/ni8mare-unauthenticated-remote-code-execution-in-n8n-cve-2026-21858 n8n は OpenAI キー、Google Drive、Salesforce、IAM を繋いでるハブ。そこへの入口に鍵がなかった——blast radius が異常にデカい理由、これだろ。⚠️ #LLMSecurity #n8n
♥ 0 · ↻ 1 · 💬 1 - YA@YasirRazaHaidriX · 5/2/2026
Unauthenticated RCE flaw named Ni8mare hits n8n (CVE-2026-21858)
♥ 0 · ↻ 0 · 💬 0 - YA@YasirRazaHaidriX · 5/1/2026
Ni8mare vulnerability exposes n8n to unauthenticated RCE (CVE-2026-21858) Source: https://t.co/M3jlggMTuH
♥ 0 · ↻ 0 · 💬 0 - YA@yasirrazahaidryX · 5/1/2026
Ni8mare vulnerability enables unauthenticated RCE in n8n (CVE-2026-21858) Source: https://t.co/ahFxIoZB45
♥ 0 · ↻ 0 · 💬 0
