CVE-2026-21858: n8n Vulnerability Exposes Thousands of Servers to RCE

The vulnerability, identified as CVE-2026-21858, which we recently reported on, affects approximately 100,000 servers worldwide, threatening to expose proprietary API keys, customer databases, and AI workflows.

The vulnerability, with a CVSS score of 10, has a public proof-of-concept (PoC) exploit chain, meaning cybercriminals are planning to exploit it. n8n is an automation “central nervous system,” allowing unauthenticated attackers to take full control of the server.

The issue occurs in the form’s webhook node, which is used for file uploads. The function that handles these uploads, prepareFormReturnItem , assumes that req.body.file s contains legitimately uploaded files. However, it fails to verify that the request was actually multipart/form-data.

Essentially, the vulnerability is a logic flaw in the way n8n processes incoming HTTP requests, specifically a “Content-Type Confusion.”

This allows an attacker to perform a simple but deadly trick:

1. Send a request with Content-Type: application/json.
2. Include a malicious file object in the JSON body.
3. Manually define the file path in that object to point to any file on the server (e.g., etc passwd).

Because the application trusts this input, it “copies” the internal system file and returns it to the attacker, granting him an arbitrary file reading primitive.

While file reading is malicious, Cyera’s report details how this primitive technique can be exploited to take complete control of the server. The attack path is methodical and frighteningly effective:

1. Phase 1: Credential theft.
2. Phase 2: Session spoofing.
3. Phase 3: Code execution.

Security researcher Chocapikk has already published a Proof-of-Concept (PoC) linking this vulnerability to another flaw (CVE-2025-68613) that allows for unauthenticated remote code execution (RCE).

The “blast radius” is huge.

Because n8n is designed to connect disparate systems, a compromised instance gives attackers the keys to everything it touches : “corporate Google Drive, OpenAI API keys, Salesforce data, IAM systems, payment processors,” and more.

There are no official workarounds for this vulnerability.

Administrators are advised to immediately update n8n to version 1.121.0 or later to address this vulnerability.

Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.

Redazione

The editorial staff of Red Hot Cyber is composed of IT and cybersecurity professionals, supported by a network of qualified sources who also operate confidentially. The team works daily to analyze, verify, and publish news, insights, and reports on cybersecurity, technology, and digital threats, with a particular focus on the accuracy of information and the protection of sources. The information published is derived from direct research, field experience, and exclusive contributions from national and international operational contexts.