CVE CRITICAL January 7, 2026 · 9 min read

CVE-2026-21858: n8n Form Workflows Expose Server Files to Unauthenticated Remote Attackers

n8n versions 1.65.0 through 1.120.x allow unauthenticated attackers to read arbitrary files from the underlying server via form-based workflow execution. CVSS 10.0. Upgrade to v1.121.0 immediately.


CVSS 10.0 — CRITICAL
FieldDetail
CVE IDCVE-2026-21858
SeverityCRITICAL (CVSS 3.1: 10.0)
Affected Productn8n workflow automation platform
Affected Versions1.65.0 through 1.120.x
Fixed Version1.121.0
Vulnerability TypePath Traversal / Arbitrary File Read (CWE-22)
PublishedJanuary 7, 2026
Authentication RequiredNone

What Is CVE-2026-21858?

n8n is a widely-deployed open-source workflow automation platform. CVE-2026-21858 is a path traversal vulnerability in n8n's form-based workflow execution engine. When form-triggered workflows process user-supplied file paths, insufficient sanitization allows attackers to traverse outside intended directories and read arbitrary server files — including credentials, environment variables, and sensitive configuration.

⚠ Unauthenticated via Public Forms

n8n form workflows are intentionally public-facing (no auth required by design). This means the attack surface is exposed by default on any n8n instance with active form workflows. A single malicious HTTP request can exfiltrate server credentials.

High-Value Targets on an n8n Server

Affected Versions

Detection Methods

Check Your n8n Version

# Check installed version
n8n --version
# or
cat node_modules/n8n/package.json | grep '"version"'

# Docker
docker exec n8n-container n8n --version

Audit Active Form Workflows

Review all workflows with Form Trigger nodes. Any workflow that reads files or processes file paths from form inputs should be treated as potentially vulnerable until patched. Disable public form workflows on unpatched instances.

🔍 KENSAI Detection: KENSAI detects path traversal vulnerabilities including CVE-2026-21858 by testing all form endpoints and webhook inputs with directory traversal payloads. Our scanner identifies accessible n8n instances and automatically tests for this vulnerability pattern.

Mitigation Steps

  1. Upgrade to n8n v1.121.0 immediately — this is the only complete fix.
  2. Temporary mitigation: Disable all form-trigger workflows until you can upgrade.
  3. Network isolation: Place n8n behind authentication (VPN, SSO) to prevent unauthenticated access.
  4. Rotate all credentials: If you ran a vulnerable version with public form workflows, assume all credentials stored in n8n are compromised — rotate them immediately.
  5. Review access logs: Check for path traversal patterns (../, %2e%2e%2f) in webhook request logs.

KENSAI Detection Capability

KENSAI scans for CVE-2026-21858 and path traversal vulnerabilities across all automation platforms:

Is Your n8n Instance Exposed?

KENSAI identifies vulnerable automation platforms and tests for CVE-2026-21858. Protect your workflow credentials before attackers drain them.

Scan Your Automation Stack Free

Published by the KENSAI Security Research Team · More CVE Analysis

Related Articles

FortiClient EMSが活発な攻撃下に、EU委員会350GBデータ漏洩、ロシア製CTRLツールキット暴露、中国APTクラスターが東南アジアに集中 Redirecting... TeamPCP versteckt Stealer in WAV-Dateien, Gefälschte VS Code-Warnungen auf GitHu