CVE-2026-21858

CriticalPublic PoC

Published: 08 January 2026

Published

08 January 2026

Modified

16 January 2026

KEV Added

—

Patch

—

CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

EPSS Score 0.0694 91.5th percentile

Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21858 is a critical-severity Improper Input Validation (CWE-20) vulnerability in N8N N8N. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely patching of the n8n vulnerability fixed in version 1.121.0 to eliminate unauthorized file access via form-based workflows.

SI-10 Information Input Validation good match

prevent

Directly addresses the improper input validation (CWE-20) root cause by requiring validation of workflow inputs to block exploitation leading to server file access.

AC-3 Access Enforcement partial match

prevent

Enforces access control policies to restrict unauthenticated attackers from accessing sensitive files on the underlying server through vulnerable workflows.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1083 File and Directory Discovery Discovery

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

Why these techniques?

The vulnerability allows unauthenticated remote exploitation of a public-facing web application (n8n) to access arbitrary files on the server, directly mapping to T1190 (Exploit Public-Facing Application) for initial access and T1083/T1005 (File and Directory Discovery/Data from Local System) for collection.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

n8n is an open source workflow automation platform. Versions starting with 1.65.0 and below 1.121.0 enable an attacker to access files on the underlying server through execution of certain form-based workflows. A vulnerable workflow could grant access to an unauthenticated…

remote attacker, resulting in exposure of sensitive information stored on the system and may enable further compromise depending on deployment configuration and workflow usage. This issue is fixed in version 1.121.0.

Deeper analysisAI

CVE-2026-21858 is a critical vulnerability in n8n, an open source workflow automation platform. It affects versions starting from 1.65.0 up to but not including 1.121.0, where certain form-based workflows enable an attacker to access files on the underlying server. The issue stems from improper input validation (CWE-20) and carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N), indicating high confidentiality and integrity impacts with no availability disruption.

An unauthenticated remote attacker can exploit the vulnerability by executing a vulnerable workflow, gaining unauthorized access to sensitive files on the server. This exposure can reveal confidential data and potentially lead to further system compromise, depending on the deployment configuration and specific workflow usage.

The vulnerability is addressed in n8n version 1.121.0. Official mitigation guidance is available in the GitHub security advisory at https://github.com/n8n-io/n8n/security/advisories/GHSA-v4pr-fm98-w9pg, with additional details provided by Cyera Research Labs at https://www.cyera.com/research-labs/ni8mare-unauthenticated-remote-code-execution-in-n8n-cve-2026-21858. Security practitioners should prioritize upgrading affected instances and reviewing exposed workflows.

Details

CWE(s): CWE-20

Affected Products

n8n

1.65.0 — 1.121.0

CVEs Like This One

CVE-2026-21893Same product: N8N N8N

CVE-2026-25053Same product: N8N N8N

CVE-2026-25052Same product: N8N N8N

CVE-2026-27494Same product: N8N N8N

CVE-2026-21877Same product: N8N N8N

CVE-2026-42232Same product: N8N N8N

CVE-2025-68613Same product: N8N N8N

CVE-2025-62726Same product: N8N N8N

CVE-2026-25055Same product: N8N N8N

CVE-2026-1470Same product: N8N N8N

References

https://github.com/n8n-io/n8n/security/advisories/GHSA-v4pr-fm98-w9pg
Vendor Advisory · security-advisories@github.com
https://www.cyera.com/research-labs/ni8mare-unauthenticated-remote-code-execution-in-n8n-cve-2026-21858
Exploit, Third Party Advisory · security-advisories@github.com