Cybersecurity

Complete Guide to Critical N8n Vulnerability (cvss 10.0) Allows Unauthenticated...

2026-01-07 0 views admin
Complete Guide to Critical N8n Vulnerability (cvss 10.0) Allows Unauthenticated...

Cybersecurity researchers have disclosed details of yet another maximum-severity security flaw in n8n, a popular workflow automation platform, that allows an unauthenticated remote attacker to gain complete control over susceptible instances.

The vulnerability, tracked as CVE-2026-21858 (CVSS score: 10.0), has been codenamed Ni8mare by Cyera Research Labs. Security researcher Dor Attias has been acknowledged for discovering and reporting the flaw on November 9, 2025.

"A vulnerability in n8n allows an attacker to access files on the underlying server through execution of certain form-based workflows," n8n said in an advisory published today. "A vulnerable workflow could grant access to an unauthenticated remote attacker. This could result in exposure of sensitive information stored on the system and may enable further compromise depending on deployment configuration and workflow usage."

With the latest development, n8n has disclosed four critical vulnerabilities over the last two weeks -

However, unlike these flaws, CVE-2026-21858 does not require any credentials and takes advantage of a "Content-Type" confusion flaw to extract sensitive secrets, forge administrator access, and even execute arbitrary commands on the server.

The vulnerability affects all versions of n8n prior to and including 1.65.0. It has been addressed in version 1.121.0, which was released on November 18, 2025. It's worth noting that the latest versions of the library are 1.123.10, 2.1.5, 2.2.4, and 2.3.0.

According to technical details shared by Cyera with The Hacker News, the crux of the problem is rooted in the n8n webhook and file handling mechanism. Webhooks, which are crucial to receive data from apps and services when certain events occur, are triggered after the incoming request is parsed using a function named "parseRequestBody()."

Specifically, the function is designed to read the "Content-Type" header in the request and invoke another function to parse the request body -

The file upload parser, in turn, uses the parse() function associated with formidable, a Node.js module for parsing form data, and stores the decoded result in a global variable called "req.body.files." This populated data is processed by the webhook, which only runs when the "Content-Type" header is set to "multipart/form-data."

In contrast, the regular body parser processes the incoming HTTP request body and stores the extracted data in a different global variable known as "req.body."

Source: The Hacker News

🏷️ Tags

cybersecuritysecurityhackvulnerabilitycve

More from Cybersecurity

Ultimate Guide: Trend Micro Warns Of Critical Apex Central RCE Vulnerability

Ultimate Guide: Trend Micro Warns Of Critical Apex Central RCE Vulnerability

2026-01-09 0
Report: Trend Micro Apex Central RCE Flaw Scores 9.8 Cvss In On-prem...

Report: Trend Micro Apex Central RCE Flaw Scores 9.8 Cvss In On-prem...

2026-01-09 0
Cisa Retires 10 Emergency Cybersecurity Directives Issued Between

Cisa Retires 10 Emergency Cybersecurity Directives Issued Between

2026-01-09 0
Fbi Warns North Korean Hackers Using Malicious Qr Codes In

Fbi Warns North Korean Hackers Using Malicious Qr Codes In

2026-01-09 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views