Ni8mare (CVE-2026-21858): When Automation Automates Your Own Pwnage

n8n is the 'fair-code' darling of the automation world. It connects your Stripe to your Slack, your AWS to your Airtable. It is, by definition, a repository of your most sensitive API keys and secrets. It's the central nervous system of many modern tech stacks.

Now, imagine if that central nervous system had a reflex where, if you poked it just right, it would vomit out its own genetic code. That is essentially what CVE-2026-21858, or 'Ni8mare', represents.

The vulnerability lies in the Form Trigger node. This component is designed to let users upload files to a workflow. It's meant to be a simple door for data entry. Unfortunately, due to some questionable parsing logic, it became a revolving door for the entire filesystem. The irony here is palpable: a tool designed to ingest external data securely ended up ingesting its own internal secrets and handing them to strangers.

The root cause is a classic case of "Content-Type Confusion" paired with a lack of input sanitization. When n8n receives a multipart/form-data request, it has to decide what is a simple text field and what is a file upload. In vulnerable versions, the parser was a bit too trusting. It relied heavily on the Content-Disposition header to determine how to handle the data.

Specifically, it looked at the filename parameter. The developers likely assumed that filename would represent the name of the file being uploaded. They didn't anticipate that an attacker would provide a path like ../../../../home/node/.n8n/config.

Because the application didn't enforce that a file upload must actually contain a new binary data stream, it effectively said: "Oh, you want to use the file at ../../config? Sure, I'll just grab that existing file and pretend you just uploaded it." It's like ordering a pizza and telling the delivery driver to just grab the one already sitting in your neighbor's oven.

Let's look at the logic. In the vulnerable code, the handling of the uploaded file path was effectively a direct concatenation or unchecked usage of the user-supplied filename. The system blindly trusted the header.

Here is a conceptual simplification of the vulnerability:

// Vulnerable Logic
const file = new File({
  path: providedFilename, // <--- The killer line. No sanitization.
  name: providedFilename
});

The fix, introduced in version 1.121.0 (Commit faae32934230ca3f0a7da1798e6737c3891ef250), forces the filename to be stripped of directory components and ensures the file is written to a random, isolated temporary directory.

// Patched Logic
const safeFilename = path.basename(providedFilename);
const tempPath = path.join(randomTempDir, safeFilename);
// The file content is then streamed to tempPath

By using path.basename(), any attempt to traverse directories (../) is neutralized. ../../etc/passwd simply becomes passwd, safely trapped in a temp folder where it belongs.

Reading a file is bad, but reading the right file is game over. The exploit chain for Ni8mare is a masterclass in escalation. It turns a "read-only" bug into total domination.

Step 1: The Heist The attacker sends a POST request to a webhook endpoint. The payload is a multipart form with a filename pointing to sensitive n8n configuration files, typically located at /home/node/.n8n/config or the SQLite database file.

Step 2: The Keys to the Kingdom The workflow reflects the file content back to the attacker (or the attacker blindly extracts it). Inside, they find the N8N_ENCRYPTION_KEY and the specific secret used to sign JSON Web Tokens (JWTs).

Step 3: The Forgery With the signing secret, the attacker crafts a new JWT. They don't need to crack a password; they just mint a new ID badge that says "I am the Admin."

Step 4: The Execution Now authenticated as an admin, the attacker accesses the n8n dashboard. They create a new workflow with an "Execute Command" node. They type cat /etc/shadow or install a reverse shell, hit "Execute", and the server is theirs.

The remediation is straightforward but urgent. You must update to n8n version 1.121.0 immediately. The patch changes how file uploads are parsed and stored, effectively killing the traversal vector.

However, if you were exposed, patching is not enough. Since the attacker could have read your encryption keys and database credentials, you must treat your instance as fully compromised. It is not enough to lock the door after the burglar has copied your keys.

1. Rotate Secrets: Change your N8N_ENCRYPTION_KEY and any API keys stored in your credentials.
2. Revoke Sessions: Force a logout of all users.
3. Check Persistence: Audit your workflows. Look for any "Execute Command" nodes you didn't create or strange Cron triggers.

This vulnerability scored a perfect 10.0 on CVSS for a reason. It requires no authentication, no user interaction, and results in total system compromise. Do not sleep on this.