Ddos 
The “central nervous system” of automation for thousands of companies has a critical weakness. A new report from Cyera reveals a devastating vulnerability in n8n, the popular workflow automation platform, that allows unauthenticated attackers to seize full control of the server. With a CVSS score of 10.0, the flaw is as critical as they come, and to make matters worse, a Proof-of-Concept (PoC) exploit chain is already public.
The vulnerability, tracked as CVE-2026-21858, impacts an estimated 100,000 servers globally, threatening to expose API keys, customer databases, and proprietary AI workflows.
At its heart, the vulnerability is a logic error in how n8n processes incoming HTTP requests—specifically, a “Content-Type Confusion.”
n8n uses a middleware function parseRequestBody to handle incoming data. If the Content-Type header is set to multipart/form-data, it uses a secure file parser (Formidable) to populate a global variable called req.body.files. If the header is application/json, it uses a standard body parser to populate req.body from the JSON payload.
The critical oversight occurs in the Form Webhook Node, used for file uploads. The function handling these uploads, prepareFormReturnItem, assumes that req.body.files contains legitimately uploaded files. However, it fails to verify that the request was actually multipart/form-data.
This allows an attacker to perform a simple but deadly trick:
- Send a request with Content-Type: application/json.
- Include a malicious files object in the JSON body.
- Manually define the filepath in that object to point to any file on the server (e.g., /etc/passwd).
Because the application trusts this input, it “copies” the internal system file and serves it back to the attacker, granting them an Arbitrary File Read primitive.
While reading files is bad, the Cyera report details how this primitive can be weaponized into a full server takeover. The attack path is methodical and terrifyingly effective:
- Step 1: Steal Credentials. The attacker uses the file read vulnerability to retrieve the n8n database (e.g., /home/node/.n8n/database.sqlite) and the configuration file (/home/node/.n8n/config).
- Step 2: Forge Session. The database contains user details (email and hashed passwords), and the config file contains the encryption secret key. With these two pieces of the puzzle, an attacker can digitally sign their own session cookie (n8n-auth), effectively logging themselves in as the administrator.
- Step 3: Execute Code. Once logged in as an admin, the attacker simply creates a new workflow, adds an “Execute Command” node, and runs whatever shell commands they want.
Security researcher Chocapikk has already published a Proof-of-Concept (PoC) that chains this vulnerability with another flaw (CVE-2025-68613) to achieve unauthenticated Remote Code Execution (RCE).
This “blast radius” is massive. Because n8n is designed to connect disparate systems, a compromised instance hands attackers the keys to everything it touches: “organizational Google Drive, OpenAI API keys, Salesforce data, IAM systems, payment processors,” and more.
There are no official workarounds for this vulnerability. Administrators are urged to upgrade to n8n version 1.121.0 or later immediately to close the breach.
Additionally, security teams should ensure n8n instances are not exposed to the public internet unless absolutely necessary and require authentication for all forms.
Related Posts:
- CVSS 10.0 Alert: Critical n8n Flaw CVE-2026-21877 Grants Total Control
- n8n Under Fire: Critical CVSS 10.0 RCE Vulnerability Grants Total Server Access
- Critical n8n RCE Flaw (CVE-2025-65964) Allows Remote Code Execution via Git Node Configuration Manipulation
- Justice Department Seizes 41 Domains Used by Russian Intelligence in Massive Cyber Espionage Takedown
Donate