{"id":15424,"date":"2026-01-07T19:26:53","date_gmt":"2026-01-07T19:26:53","guid":{"rendered":"https:\/\/newestek.com\/?p=15424"},"modified":"2026-01-07T19:26:53","modified_gmt":"2026-01-07T19:26:53","slug":"critical-rce-flaw-allows-full-takeover-of-n8n-ai-workflow-platform","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15424","title":{"rendered":"Critical RCE flaw allows full takeover of n8n AI workflow platform"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>Researchers have released details about a critical vulnerability that was silently patched in n8n, a platform used by many companies to build LLM-powered agents and automated workflows. The flaw can allow unauthenticated attackers to completely take over local n8n deployments, execute commands on the underlying system, and extract sensitive corporate data workflows typically have access to.<\/p>\n<p>\u201cThe blast radius of a compromised n8n is massive,\u201d researchers from data security company Cyera, who found the vulnerability, noted in their <a href=\"https:\/\/www.cyera.com\/research-labs\/ni8mare-unauthenticated-remote-code-execution-in-n8n-cve-2026-21858\">report on the vulnerability<\/a>. \u201cN8n is connecting countless systems, your organizational Google Drive, OpenAI API keys, Salesforce data, IAM systems, payment processors, customer databases, CI\/CD pipelines, and more. It\u2019s the central nervous system of your automation infrastructure.\u201d<\/p>\n<p>The n8n developers <a href=\"https:\/\/github.com\/n8n-io\/n8n\/security\/advisories\/GHSA-v4pr-fm98-w9pg\">patched this issue in version 1.121.0<\/a> released on Nov. 18, but the release notes did not mention security fixes at the time, which seems to be standard procedure as n8n security advisories are intentionally released with a delay. The project has patched other critical RCE vulnerabilities since then, such as <a href=\"https:\/\/github.com\/n8n-io\/n8n\/security\/advisories\/GHSA-v98v-ff95-f3cp\">CVE-2025-68613<\/a>, <a href=\"https:\/\/github.com\/n8n-io\/n8n\/security\/advisories\/GHSA-62r4-hw23-cc8v\">CVE-2025-68668<\/a>, and <a href=\"https:\/\/github.com\/n8n-io\/n8n\/security\/advisories\/GHSA-v364-rw7m-3263\">CVE-2026-21877<\/a>, so users should ensure they always update to the latest available version.<\/p>\n<h2 class=\"wp-block-heading\" id=\"content-type-confusion-leads-to-arbitrary-file-reads\">Content-Type confusion leads to arbitrary file reads<\/h2>\n<p>The vulnerability, tracked as CVE-2026-21858, has a severity rating of 10.0 (critical) and enables a two-part attack. First, it allows unauthenticated attackers who have access to n8n web forms to leak internal files from the n8n server. This is because the <code>formWebhook<\/code> function used by n8n Form nodes to receive data doesn\u2019t validate whether the <code>Content-Type<\/code> field of the POST request submitted by the user is set to <code>multipart\/form-data<\/code>.<\/p>\n<p>Imagine a very common use case in which n8n has been used to build a chat interface that allows users to upload files to the system \u2014 for example, a customer support portal that accepts error screenshots or logs, an HR system for submitting CVs, or a knowledge base where employees can upload documents to index for later querying through an LLM-powered chatbot.<\/p>\n<p>In the normal flow, when the content type is <code>multipart\/form-data<\/code> and the request body has a <code>files:<\/code> definition, n8n will parse the request with its <code>parseFormData()<\/code> function, which uses Node.js library Formidable to handle file uploads securely by storing the file in a temp directory with a random path before populating the <code>req.body.files<\/code> global variable with the filename and location.<\/p>\n<p>However, if a request has a different content type, for example <code>application\/json<\/code>, n8n will parse the request body using another function called <code>parseBody()<\/code>, which behaves differently. This function extracts the request\u2019s data section to populate the <code>req.body.data<\/code> global variable, but it also extracts any other section from the request to populate the corresponding <code>req.body.[section name]<\/code> variables with their content.<\/p>\n<p>Because <code>formWebhook<\/code> doesn\u2019t validate whether a request with a <code>files<\/code> section is actually <code>multipart\/form-data<\/code>, it will call the wrong parsing function on its body, resulting in the population of the <code>req.body.files<\/code> variable with user-controlled values like filenames and paths. It will then call a function called <code>copyBinaryFile()<\/code> to copy any files from the <code>req.body.files<\/code> variable \u2014 which are supposed to be temp random paths \u2014 to persistent storage locations to be consumed by other nodes\/workflows, leading to potential path traversal attacks, in which legitimate files on the system can be overwritten or loaded elsewhere in a workflow.<\/p>\n<p>To exploit this vulnerability, an attacker can submit a request as <code>application\/json<\/code> with a <code>files<\/code> section that specifies known file paths from the local system, including n8n configuration files that contain sensitive credentials and tokens. If these files are added into the context of an LLM-powered chatbot node, the attacker can then use the chat interface to ask questions about those files and leak their contents.<\/p>\n<h2 class=\"wp-block-heading\" id=\"from-arbitrary-file-read-to-admin-privileges\">From arbitrary file read to admin privileges<\/h2>\n<p>The second part of the attack enabled by this vulnerability opens the \u201cblast radius\u201d considerably, as the ability to read any local file has serious implications due to the way n8n tracks authenticated sessions.<\/p>\n<p>Session cookies are strings stored in the user\u2019s browser to maintain their authenticated status for a period of time. Attackers regularly steal session cookies from compromised systems to bypass authentication and log in as their victims on various websites.<\/p>\n<p>In n8n, session cookies are generated by combining a user\u2019s unique ID with a SHA256 hash of the user\u2019s email and password and then signing the result with a secret key unique to each n8n installation.<\/p>\n<p>The problem is that all the information needed to rebuild session cookies is located in local files. The unique secret key is stored in <code>\/home\/node\/.n8n\/config<\/code> and all user records are stored in the <code>\/home\/node\/.n8n\/database.sqlite<\/code> file. Leaking the contents of these two files allows attackers to recreate <code>n8n-auth<\/code> cookies for any users, including administrators.<\/p>\n<p>With administrator privileges attackers can create new workflows, and n8n offers a node called Execute Command that does exactly what the name implies \u2014 executes commands on the underlying operating system with the privileges of the n8n service.<\/p>\n<p>\u201cImagine a large enterprise with 10,000+ employees with one n8n server that anyone uses,\u201d the researchers wrote in their report. \u201cA compromised n8n instance doesn\u2019t just mean losing one system \u2014 it means handing attackers the keys to everything. API credentials, OAuth tokens, database connections, cloud storage, all centralized in one place. N8n becomes a single point of failure and a goldmine for threat actors.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Researchers have released details about a critical vulnerability that was silently patched in n8n, a platform used by many companies to build LLM-powered agents and automated workflows. The flaw can allow unauthenticated attackers to completely take over local n8n deployments, execute commands on the underlying system, and extract sensitive corporate data workflows typically have access to. \u201cThe blast radius of a compromised n8n is massive,\u201d&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=15424\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15424","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15424","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15424"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15424\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15424"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15424"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15424"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}