Researchers have released details about a critical vulnerability that was silently patched in n8n, a platform used by many companies to build LLM-powered agents and automated workflows. The flaw can allow unauthenticated attackers to completely take over local n8n deployments, execute commands on the underlying system, and extract sensitive corporate data workflows typically have access to.
“The blast radius of a compromised n8n is massive,” researchers from data security company Cyera, who found the vulnerability, noted in their report on the vulnerability. “N8n is connecting countless systems, your organizational Google Drive, OpenAI API keys, Salesforce data, IAM systems, payment processors, customer databases, CI/CD pipelines, and more. It’s the central nervous system of your automation infrastructure.”
The n8n developers patched this issue in version 1.121.0 released on Nov. 18, but the release notes did not mention security fixes at the time, which seems to be standard procedure as n8n security advisories are intentionally released with a delay. The project has patched other critical RCE vulnerabilities since then, such as CVE-2025-68613, CVE-2025-68668, and CVE-2026-21877, so users should ensure they always update to the latest available version.
Content-Type confusion leads to arbitrary file reads
The vulnerability, tracked as CVE-2026-21858, has a severity rating of 10.0 (critical) and enables a two-part attack. First, it allows unauthenticated attackers who have access to n8n web forms to leak internal files from the n8n server. This is because the formWebhook function used by n8n Form nodes to receive data doesn’t validate whether the Content-Type field of the POST request submitted by the user is set to multipart/form-data.
Imagine a very common use case in which n8n has been used to build a chat interface that allows users to upload files to the system — for example, a customer support portal that accepts error screenshots or logs, an HR system for submitting CVs, or a knowledge base where employees can upload documents to index for later querying through an LLM-powered chatbot.
In the normal flow, when the content type is multipart/form-data and the request body has a files: definition, n8n will parse the request with its parseFormData() function, which uses Node.js library Formidable to handle file uploads securely by storing the file in a temp directory with a random path before populating the req.body.files global variable with the filename and location.
However, if a request has a different content type, for example application/json, n8n will parse the request body using another function called parseBody(), which behaves differently. This function extracts the request’s data section to populate the req.body.data global variable, but it also extracts any other section from the request to populate the corresponding req.body.[section name] variables with their content.
Because formWebhook doesn’t validate whether a request with a files section is actually multipart/form-data, it will call the wrong parsing function on its body, resulting in the population of the req.body.files variable with user-controlled values like filenames and paths. It will then call a function called copyBinaryFile() to copy any files from the req.body.files variable — which are supposed to be temp random paths — to persistent storage locations to be consumed by other nodes/workflows, leading to potential path traversal attacks, in which legitimate files on the system can be overwritten or loaded elsewhere in a workflow.
To exploit this vulnerability, an attacker can submit a request as application/json with a files section that specifies known file paths from the local system, including n8n configuration files that contain sensitive credentials and tokens. If these files are added into the context of an LLM-powered chatbot node, the attacker can then use the chat interface to ask questions about those files and leak their contents.
From arbitrary file read to admin privileges
The second part of the attack enabled by this vulnerability opens the “blast radius” considerably, as the ability to read any local file has serious implications due to the way n8n tracks authenticated sessions.
Session cookies are strings stored in the user’s browser to maintain their authenticated status for a period of time. Attackers regularly steal session cookies from compromised systems to bypass authentication and log in as their victims on various websites.
In n8n, session cookies are generated by combining a user’s unique ID with a SHA256 hash of the user’s email and password and then signing the result with a secret key unique to each n8n installation.
The problem is that all the information needed to rebuild session cookies is located in local files. The unique secret key is stored in /home/node/.n8n/config and all user records are stored in the /home/node/.n8n/database.sqlite file. Leaking the contents of these two files allows attackers to recreate n8n-auth cookies for any users, including administrators.
With administrator privileges attackers can create new workflows, and n8n offers a node called Execute Command that does exactly what the name implies — executes commands on the underlying operating system with the privileges of the n8n service.
“Imagine a large enterprise with 10,000+ employees with one n8n server that anyone uses,” the researchers wrote in their report. “A compromised n8n instance doesn’t just mean losing one system — it means handing attackers the keys to everything. API credentials, OAuth tokens, database connections, cloud storage, all centralized in one place. N8n becomes a single point of failure and a goldmine for threat actors.”
No Responses