Category: Uncategorized

Jan 07, 2026Ravie LakshmananVulnerability / Automation

Cybersecurity researchers have disclosed details of yet another maximum-severity security flaw in n8n, a popular workflow automation platform, that allows an unauthenticated remote attacker to gain complete control over susceptible instances.

The vulnerability, tracked as CVE-2026-21858 (CVSS score: 10.0), has been codenamed Ni8mare by Cyera Research Labs. Security researcher Dor Attias has been acknowledged for discovering and reporting the flaw on November 9, 2025.

“A vulnerability in n8n allows an attacker to access files on the underlying server through execution of certain form-based workflows,” n8n said in an advisory published today. “A vulnerable workflow could grant access to an unauthenticated remote attacker. This could result in exposure of sensitive information stored on the system and may enable further compromise depending on deployment configuration and workflow usage.”

With the latest development, n8n has disclosed four critical vulnerabilities over the last two weeks –

• CVE-2025-68613 (CVSS score: 9.9) – An improper control of dynamically-managed code resources that could allow authenticated attackers to achieve remote code execution (RCE) under certain conditions (Fixed in versions 1.120.4, 1.121.1, and 1.122.0)
• CVE-2025-68668 or N8scape (CVSS score: 9.9) – A sandbox bypass vulnerability that could allow an authenticated user with permission to create or modify workflows to execute arbitrary commands on the host system running n8n (Fixed in version 2.0.0)
• CVE-2026-21877 (CVSS score: 10.0) – An unrestricted upload of a file with a dangerous type vulnerability that could allow an authenticated attacker to execute untrusted code via the n8n service, leading to full compromise of the instance (Fixed in version 1.121.3)

However, unlike these flaws, CVE-2026-21858 does not require any credentials and takes advantage of a “Content-Type” confusion flaw to extract sensitive secrets, forge administrator access, and even execute arbitrary commands on the server.

The vulnerability affects all versions of n8n prior to and including 1.65.0. It has been addressed in version 1.121.0, which was released on November 18, 2025. It’s worth noting that the latest versions of the library are 1.123.10, 2.1.5, 2.2.4, and 2.3.0.

According to technical details shared by Cyera with The Hacker News, the crux of the problem is rooted in the n8n webhook and file handling mechanism. Webhooks, which are crucial to receive data from apps and services when certain events occur, are triggered after the incoming request is parsed using a function named “parseRequestBody().”

Specifically, the function is designed to read the “Content-Type” header in the request and invoke another function to parse the request body –

• Use parseFormData(), aka “file upload parser,” if the “Content-Type” header is “multipart/form-data,” denoting form data
• Use parseBody() aka “regular body parser” for all other content types

The file upload parser, in turn, uses the parse() function associated with formidable, a Node.js module for parsing form data, and stores the decoded result in a global variable called “req.body.files.” This populated data is processed by the webhook, which only runs when the “Content-Type” header is set to “multipart/form-data.”

In contrast, the regular body parser processes the incoming HTTP request body and stores the extracted data in a different global variable known as “req.body.”

CVE-2026-21858 occurs when a file-handling function is run without first verifying that the content-type is “multipart/form-data,” potentially allowing an attacker to override req.body.files. Cyera said it found such a vulnerable flow in the function that handles form submissions (“formWebhook()”), which invokes a file-handling function (“copyBinaryFile()”) to act on “req.body.files.”

“Here’s the issue: since this function is called without verifying the content type is ‘multipart/form-data,’ we control the entire req.body.files object,” Attias said. “That means we control the filepath parameter — so instead of copying an uploaded file, we can copy any local file from the system.”

“The result? Any node after the Form node receives the local file’s content instead of what the user uploaded.”

As for how the attack can play out, consider a website that has a chat interface to provide information about various products based on product specification files uploaded to the organizational knowledge base using a Form workflow. With this setup in place, a bad actor can leverage the security hole to read arbitrary files from the n8n instance and escalate it further to RCE by performing the following steps –

• Use the arbitrary read primitive to access the database located at “/home/node/.n8n/database.sqlite” and load it into the knowledge-base
• Extract the administrator’s user ID, email, and hashed password using the chat interface
• Use the arbitrary read primitive again to load a configuration file located at “/home/node/.n8n/config” and extract the encryption secret key
• Use the obtained user and key information to forge a fake session cookie and obtain admin access, leading to an authentication bypass
• Achieve RCE by creating a new workflow with an “Execute Command” node

“The blast radius of a compromised n8n is massive,” Cyera said. “A compromised n8n instance doesn’t just mean losing one system — it means handing attackers the keys to everything. API credentials, OAuth tokens, database connections, cloud storage — all centralized in one place. n8n becomes a single point of failure and a goldmine for threat actors.”

In light of the severity of the flaw, users are advised to upgrade to the patched version or later as soon as possible for optimal protection, avoid exposing n8n to the internet, and enforce authentication for all Forms. As temporary workarounds, it’s advised to restrict or disable publicly accessible webhook and form endpoints.

Crowds lined the streets of Saint-Tropez for the funeral of French film legend Brigitte Bardot on Wednesday.

Some of those gathered were seen applauding as her coffin was driven through the French Riviera town after a service in a local church.

Among the guests at the service were far-right politician Marine le Pen and Equality Minister Aurore Bergé, who like Bardot, is a defender of animal rights. The actress was later buried at a hillside cemetery overlooking the Mediterranean.

Bardot, who revolutionised 1950s French cinema and became a symbol of sexual liberation, died of cancer aged 91 three days after Christmas.

Bardot had left instructions that her funeral be conducted without fanfare or ostentation – but the people of Saint-Tropez wanted to pay her a proper adieu on Wednesday.

Screens were set up in the small fishing town that was transformed by Bardot’s fame into a playground for the jet set.

Bardot’s only son Nicolas-Jacques Charrier was among those carrying the coffin to the cemetery where the actress’ parents and first husband Roger Vadim are buried.

After her death, French President Emmanuel Macron said the nation was mourning “a legend of the century”, while the Brigitte Bardot Foundation remembered her as a “world-renowned actress”.

The cinema icon – “BB” as she was known in her home country – acted in almost 50 films, including And God Created Woman, but retired in 1973 to devote her life to animal welfare.

Later in life, Bardot’s reputation was damaged after she made homophobic slurs and was fined multiple times for inciting racial hatred.

Her right-wing views alienated her from many in the political establishment.