criticalOther UnknownPublish anonymously

n8n Unauthenticated RCE "Ni8mare" (CVE-2026-21858)

by Publish anonymously · 2 days agoviews 0en

PII protected

Personal information such as emails, phone numbers, IDs and access tokens are automatically masked before publication.

CVSS 10.0. Content-type confusion in webhook request handling allows unauthenticated attackers to forge uploaded files, read arbitrary local files, forge admin sessions, and execute commands on the host. ~100,000 n8n servers globally affected. If an LLM-powered chatbot node is present, attackers can exfiltrate file contents by chatting with the bot. Fixed in v1.121.0.

External Source Attribution

This incident was imported from an external open database. Licensed under CC BY 4.0 or public domain. Original source details below.

Source: AI Incident Database (Open/Stanford License)

Awaiting official response

The official response from the AI provider for this incident.

Community Discussion

0

No comments yet. Start the discussion!

You must sign in to join the discussion.