Feb 24, 2026·5 min read·73 visits
Critical RCE in n8n versions < 1.121.0. An unauthenticated attacker can read any file on the server (like config/db) by manipulating the 'filename' parameter in multipart requests. Leaked secrets allow admin session forgery and subsequent RCE.
n8n, the popular workflow automation tool, suffered a catastrophic 10.0 CVSS vulnerability dubbed 'Ni8mare'. By exploiting a Content-Type confusion flaw in the Form Trigger node, unauthenticated attackers could trick the server into treating existing system files as uploaded content. This Arbitrary File Read (AFR) allowed the theft of encryption keys and JWT secrets, leading to a trivial upgrade path to full Remote Code Execution (RCE).
n8n is the 'fair-code' darling of the automation world. It connects your Stripe to your Slack, your AWS to your Airtable. It is, by definition, a repository of your most sensitive API keys and secrets. It's the central nervous system of many modern tech stacks.
Now, imagine if that central nervous system had a reflex where, if you poked it just right, it would vomit out its own genetic code. That is essentially what CVE-2026-21858, or 'Ni8mare', represents.
The vulnerability lies in the Form Trigger node. This component is designed to let users upload files to a workflow. It's meant to be a simple door for data entry. Unfortunately, due to some questionable parsing logic, it became a revolving door for the entire filesystem. The irony here is palpable: a tool designed to ingest external data securely ended up ingesting its own internal secrets and handing them to strangers.
The root cause is a classic case of "Content-Type Confusion" paired with a lack of input sanitization. When n8n receives a multipart/form-data request, it has to decide what is a simple text field and what is a file upload. In vulnerable versions, the parser was a bit too trusting. It relied heavily on the Content-Disposition header to determine how to handle the data.
Specifically, it looked at the filename parameter. The developers likely assumed that filename would represent the name of the file being uploaded. They didn't anticipate that an attacker would provide a path like ../../../../home/node/.n8n/config.
Because the application didn't enforce that a file upload must actually contain a new binary data stream, it effectively said: "Oh, you want to use the file at ../../config? Sure, I'll just grab that existing file and pretend you just uploaded it." It's like ordering a pizza and telling the delivery driver to just grab the one already sitting in your neighbor's oven.
Let's look at the logic. In the vulnerable code, the handling of the uploaded file path was effectively a direct concatenation or unchecked usage of the user-supplied filename. The system blindly trusted the header.
Here is a conceptual simplification of the vulnerability:
// Vulnerable Logic
const file = new File({
path: providedFilename, // <--- The killer line. No sanitization.
name: providedFilename
});The fix, introduced in version 1.121.0 (Commit faae32934230ca3f0a7da1798e6737c3891ef250), forces the filename to be stripped of directory components and ensures the file is written to a random, isolated temporary directory.
// Patched Logic
const safeFilename = path.basename(providedFilename);
const tempPath = path.join(randomTempDir, safeFilename);
// The file content is then streamed to tempPathBy using path.basename(), any attempt to traverse directories (../) is neutralized. ../../etc/passwd simply becomes passwd, safely trapped in a temp folder where it belongs.
Reading a file is bad, but reading the right file is game over. The exploit chain for Ni8mare is a masterclass in escalation. It turns a "read-only" bug into total domination.
Step 1: The Heist
The attacker sends a POST request to a webhook endpoint. The payload is a multipart form with a filename pointing to sensitive n8n configuration files, typically located at /home/node/.n8n/config or the SQLite database file.
Step 2: The Keys to the Kingdom
The workflow reflects the file content back to the attacker (or the attacker blindly extracts it). Inside, they find the N8N_ENCRYPTION_KEY and the specific secret used to sign JSON Web Tokens (JWTs).
Step 3: The Forgery With the signing secret, the attacker crafts a new JWT. They don't need to crack a password; they just mint a new ID badge that says "I am the Admin."
Step 4: The Execution
Now authenticated as an admin, the attacker accesses the n8n dashboard. They create a new workflow with an "Execute Command" node. They type cat /etc/shadow or install a reverse shell, hit "Execute", and the server is theirs.
The remediation is straightforward but urgent. You must update to n8n version 1.121.0 immediately. The patch changes how file uploads are parsed and stored, effectively killing the traversal vector.
However, if you were exposed, patching is not enough. Since the attacker could have read your encryption keys and database credentials, you must treat your instance as fully compromised. It is not enough to lock the door after the burglar has copied your keys.
N8N_ENCRYPTION_KEY and any API keys stored in your credentials.This vulnerability scored a perfect 10.0 on CVSS for a reason. It requires no authentication, no user interaction, and results in total system compromise. Do not sleep on this.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N| Product | Affected Versions | Fixed Version |
|---|---|---|
n8n n8n-io | >= 1.65.0, < 1.121.0 | 1.121.0 |
| Attribute | Detail |
|---|---|
| CVSS Score | 10.0 (Critical) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N |
| CWE ID | CWE-20 (Improper Input Validation) / CWE-22 (Path Traversal) |
| Exploit Status | Public PoC / Weaponized |
| EPSS Score | 0.07694 (7.69%) |
| EPSS Percentile | 91.74% |
Improper Input Validation leading to Path Traversal
An incomplete mitigation of a predecessor vulnerability (GHSA-xvp4-phqj-cjr3 / CVE-2026-35671) in phpMyFAQ leaves sister administrative API endpoints vulnerable to Insecure Direct Object Reference (IDOR). Specifically, the `editUser` and `updateUserRights` endpoints lack object-level access controls, permitting authenticated low-privilege administrators to escalate their privileges or hijack SuperAdmin accounts.
A critical-severity Cross-Site Scripting (XSS) and Content-Type spoofing vulnerability in Remark42 (versions 1.6.0 through 1.15.0) allows remote attackers to execute arbitrary client-side script code via a crafted image proxy request.
CVE-2026-53462 is a heap Use-After-Free (UAF) vulnerability in ImageMagick's vector drawing subsystem, specifically within the coordinate allocation mechanism in CheckPrimitiveExtent. By parsing a crafted vector image (such as SVG or MVG) with extremely complex primitives, an attacker can trigger a memory reallocation failure. If the application fails to handle this allocation failure cleanly, it leaves a dangling pointer that can subsequently be accessed or freed again, causing memory corruption or an application crash.
A critical security flaw was identified in the Go package golang.org/x/crypto/ssh/agent. The vulnerability arises during the serialization of key constraints when adding SSH identities to a remote agent or an in-memory keyring. Specifically, custom constraint extensions, such as destination restrictions like restrict-destination-v00@openssh.com, were silently omitted from serialization in client requests. This omission allowed keys to be loaded into the remote agent with zero destination-based restrictions, enabling unauthorized users with access to the agent socket on intermediate hosts to authenticate to any downstream host without policy enforcement. The issue was resolved in version v0.52.0 of the golang.org/x/crypto library.
A high-severity Denial of Service (DoS) vulnerability (CVE-2026-46597 / GO-2026-5013) exists in the golang.org/x/crypto/ssh module before version v0.52.0. The flaw stems from an incorrect operator order during a type conversion of the GCM packet padding size, allowing a remote, unauthenticated attacker to trigger an out-of-bounds slice runtime panic and crash the Go process.
A critical security bypass vulnerability was discovered in the Go SSH server implementation within the golang.org/x/crypto/ssh package. When an SSH server authentication callback returned a PartialSuccessError alongside non-nil Permissions, the server silently discarded these permissions before the subsequent authentication step. Consequently, once the user completed the second-factor authentication, the session-level restrictions were dropped, granting the client unauthorized capabilities.