CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-21858

Ni8mare (CVE-2026-21858): When Automation Automates Your Own Pwnage

Amit Schendel
Amit Schendel
Senior Security Researcher

Feb 24, 2026·5 min read·71 visits

Executive Summary (TL;DR)

Critical RCE in n8n versions < 1.121.0. An unauthenticated attacker can read any file on the server (like config/db) by manipulating the 'filename' parameter in multipart requests. Leaked secrets allow admin session forgery and subsequent RCE.

n8n, the popular workflow automation tool, suffered a catastrophic 10.0 CVSS vulnerability dubbed 'Ni8mare'. By exploiting a Content-Type confusion flaw in the Form Trigger node, unauthenticated attackers could trick the server into treating existing system files as uploaded content. This Arbitrary File Read (AFR) allowed the theft of encryption keys and JWT secrets, leading to a trivial upgrade path to full Remote Code Execution (RCE).

The Hook: The Glue That Holds (and Leaks) Everything

n8n is the 'fair-code' darling of the automation world. It connects your Stripe to your Slack, your AWS to your Airtable. It is, by definition, a repository of your most sensitive API keys and secrets. It's the central nervous system of many modern tech stacks.

Now, imagine if that central nervous system had a reflex where, if you poked it just right, it would vomit out its own genetic code. That is essentially what CVE-2026-21858, or 'Ni8mare', represents.

The vulnerability lies in the Form Trigger node. This component is designed to let users upload files to a workflow. It's meant to be a simple door for data entry. Unfortunately, due to some questionable parsing logic, it became a revolving door for the entire filesystem. The irony here is palpable: a tool designed to ingest external data securely ended up ingesting its own internal secrets and handing them to strangers.

The Flaw: Identity Crisis in the Parser

The root cause is a classic case of "Content-Type Confusion" paired with a lack of input sanitization. When n8n receives a multipart/form-data request, it has to decide what is a simple text field and what is a file upload. In vulnerable versions, the parser was a bit too trusting. It relied heavily on the Content-Disposition header to determine how to handle the data.

Specifically, it looked at the filename parameter. The developers likely assumed that filename would represent the name of the file being uploaded. They didn't anticipate that an attacker would provide a path like ../../../../home/node/.n8n/config.

Because the application didn't enforce that a file upload must actually contain a new binary data stream, it effectively said: "Oh, you want to use the file at ../../config? Sure, I'll just grab that existing file and pretend you just uploaded it." It's like ordering a pizza and telling the delivery driver to just grab the one already sitting in your neighbor's oven.

The Code: Trust, But Verify (Or Just Don't Verify)

Let's look at the logic. In the vulnerable code, the handling of the uploaded file path was effectively a direct concatenation or unchecked usage of the user-supplied filename. The system blindly trusted the header.

Here is a conceptual simplification of the vulnerability:

// Vulnerable Logic
const file = new File({
  path: providedFilename, // <--- The killer line. No sanitization.
  name: providedFilename
});

The fix, introduced in version 1.121.0 (Commit faae32934230ca3f0a7da1798e6737c3891ef250), forces the filename to be stripped of directory components and ensures the file is written to a random, isolated temporary directory.

// Patched Logic
const safeFilename = path.basename(providedFilename);
const tempPath = path.join(randomTempDir, safeFilename);
// The file content is then streamed to tempPath

By using path.basename(), any attempt to traverse directories (../) is neutralized. ../../etc/passwd simply becomes passwd, safely trapped in a temp folder where it belongs.

The Exploit: From Read to RCE

Reading a file is bad, but reading the right file is game over. The exploit chain for Ni8mare is a masterclass in escalation. It turns a "read-only" bug into total domination.

Step 1: The Heist The attacker sends a POST request to a webhook endpoint. The payload is a multipart form with a filename pointing to sensitive n8n configuration files, typically located at /home/node/.n8n/config or the SQLite database file.

Step 2: The Keys to the Kingdom The workflow reflects the file content back to the attacker (or the attacker blindly extracts it). Inside, they find the N8N_ENCRYPTION_KEY and the specific secret used to sign JSON Web Tokens (JWTs).

Step 3: The Forgery With the signing secret, the attacker crafts a new JWT. They don't need to crack a password; they just mint a new ID badge that says "I am the Admin."

Step 4: The Execution Now authenticated as an admin, the attacker accesses the n8n dashboard. They create a new workflow with an "Execute Command" node. They type cat /etc/shadow or install a reverse shell, hit "Execute", and the server is theirs.

The Fix: Patch or Die

The remediation is straightforward but urgent. You must update to n8n version 1.121.0 immediately. The patch changes how file uploads are parsed and stored, effectively killing the traversal vector.

However, if you were exposed, patching is not enough. Since the attacker could have read your encryption keys and database credentials, you must treat your instance as fully compromised. It is not enough to lock the door after the burglar has copied your keys.

  1. Rotate Secrets: Change your N8N_ENCRYPTION_KEY and any API keys stored in your credentials.
  2. Revoke Sessions: Force a logout of all users.
  3. Check Persistence: Audit your workflows. Look for any "Execute Command" nodes you didn't create or strange Cron triggers.

This vulnerability scored a perfect 10.0 on CVSS for a reason. It requires no authentication, no user interaction, and results in total system compromise. Do not sleep on this.

Official Patches

n8nOfficial Security Advisory

Fix Analysis (1)

Technical Appendix

CVSS Score
10.0/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
EPSS Probability
7.69%
Top 8% most exploited

Affected Systems

n8n Workflow Automation Tool

Affected Versions Detail

Product
Affected Versions
Fixed Version
n8n
n8n-io
>= 1.65.0, < 1.121.01.121.0
AttributeDetail
CVSS Score10.0 (Critical)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
CWE IDCWE-20 (Improper Input Validation) / CWE-22 (Path Traversal)
Exploit StatusPublic PoC / Weaponized
EPSS Score0.07694 (7.69%)
EPSS Percentile91.74%

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1552Unsecured Credentials
Credential Access
T1059Command and Scripting Interpreter
Execution
CWE-20
Improper Input Validation

Improper Input Validation leading to Path Traversal

Known Exploits & Detection

GitHubFull-chain exploit (AFR to RCE) automating secret extraction
GitHubDockerized lab environment and Python PoC
NucleiDetection Template Available

Vulnerability Timeline

Vulnerability discovered by Cyera Research Labs
2026-01-07
n8n releases patch 1.121.0 and Advisory
2026-01-07
Public PoC exploits released
2026-01-08

References & Sources

  • [1]Cyera Research: Ni8mare Deep Dive
  • [2]Horizon3.ai: The Ni8mare Test

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•43 minutes ago•GHSA-7CX2-G3H9-382P
8.1

GHSA-7CX2-G3H9-382P: Multiple Vulnerabilities in Crawl4AI Docker API (Arbitrary File Write, SSRF, CRLF Log Injection)

An in-depth technical analysis of multiple security vulnerabilities in the self-hosted Docker API server of Crawl4AI up to version 0.8.7. These flaws include a critical arbitrary file write via symlink traversal and TOCTOU weakness, CRLF log injection, webhook header injection, and SSRF filter gaps. These have been remediated in version 0.8.8.

Alon Barad
Alon Barad
2 views•6 min read
•about 1 hour ago•GHSA-F989-C77F-R2CQ
8.2

GHSA-f989-c77f-r2cq: LLM Credential Exfiltration and SSRF in Crawl4AI Docker Server

A technical evaluation of the Crawl4AI open-source web crawling and scraping library revealed a high-severity credential exfiltration vulnerability in its self-hosted Dockerized API server. The flaw arises from an unvalidated base_url parameter in request payloads and a dynamic prefix resolution mechanism that retrieves system environment variables. Unauthenticated remote attackers can leverage these features in tandem to extract host-level secrets or redirect configured LLM API keys to an external listener under their control.

Amit Schendel
Amit Schendel
4 views•6 min read
•about 2 hours ago•GHSA-365W-HQF6-VXFG
9.8

GHSA-365w-hqf6-vxfg: Multiple Critical Vulnerabilities in Crawl4AI Docker API Server

The Crawl4AI Docker API server, in versions 0.8.6 and prior, contains multiple critical vulnerabilities including improper path sanitization, missing authentication on administration routes, hardcoded JWT secrets, and SSRF. These vulnerabilities allow remote, unauthenticated attackers to write arbitrary files, execute arbitrary code, and pivot into private cloud environments.

Amit Schendel
Amit Schendel
5 views•7 min read
•about 5 hours ago•GHSA-534H-C3CW-V3H9
5.5

GHSA-534h-c3cw-v3h9: Local Information Disclosure via Abstract-Namespace Socket in Nuxt Dev Server

A local security vulnerability in the Nuxt development server (nuxt dev) allows local unprivileged users to access sensitive configuration files and source code. On Linux environments running Node.js 20+, Nuxt bound its internal vite-node IPC server to an abstract-namespace Unix socket without any peer authentication, enabling co-resident local users to connect and request module code directly.

Amit Schendel
Amit Schendel
4 views•5 min read
•about 5 hours ago•GHSA-8RFP-98V4-MMR6
0.0

GHSA-8RFP-98V4-MMR6: Protocol-Filtering Bypass via Unicode Obfuscation in Mozilla Bleach

Mozilla Bleach is an open-source HTML sanitizing library for Python. Versions up to and including 6.3.0 contain an incomplete filtering implementation in the URI validation logic ('sanitize_uri_value'). This logic fails to detect disallowed protocols, such as 'javascript:', if they contain Unicode invisible characters, whitespace characters, or characters with a code point greater than U+00A0. While standard-compliant web browsers do not directly execute invalid URI schemes containing these non-standard characters, downstream systems that normalize Unicode text by stripping invisible or non-ASCII characters can unintentionally reactivate the 'javascript:' prefix, causing Cross-Site Scripting (XSS). Additionally, this behavior violates Bleach's core sanitization contract by outputting URIs that bypass protocol allowlists configured by the caller.

Amit Schendel
Amit Schendel
4 views•7 min read
•about 6 hours ago•GHSA-G75F-G53V-794X
4.3

GHSA-G75F-G53V-794X: CPU Exhaustion via Unbounded Email Regular Expression Scanning in Bleach

An uncontrolled resource consumption vulnerability exists in the Python package Bleach when parsing text to linkify email addresses. When `parse_email=True` is enabled, the regular expression engine is forced into a quadratic-time complexity scan on specially crafted payloads lacking an '@' symbol. This causes immediate CPU exhaustion and blocks application server worker processes.

Amit Schendel
Amit Schendel
4 views•6 min read