CVE-2026-21858: n8n Form Workflows Expose Server Files to Unauthenticated Remote Attackers
n8n versions 1.65.0 through 1.120.x allow unauthenticated attackers to read arbitrary files from the underlying server via form-based workflow execution. CVSS 10.0. Upgrade to v1.121.0 immediately.
| Field | Detail |
|---|---|
| CVE ID | CVE-2026-21858 |
| Severity | CRITICAL (CVSS 3.1: 10.0) |
| Affected Product | n8n workflow automation platform |
| Affected Versions | 1.65.0 through 1.120.x |
| Fixed Version | 1.121.0 |
| Vulnerability Type | Path Traversal / Arbitrary File Read (CWE-22) |
| Published | January 7, 2026 |
| Authentication Required | None |
What Is CVE-2026-21858?
n8n is a widely-deployed open-source workflow automation platform. CVE-2026-21858 is a path traversal vulnerability in n8n's form-based workflow execution engine. When form-triggered workflows process user-supplied file paths, insufficient sanitization allows attackers to traverse outside intended directories and read arbitrary server files — including credentials, environment variables, and sensitive configuration.
⚠ Unauthenticated via Public Forms
n8n form workflows are intentionally public-facing (no auth required by design). This means the attack surface is exposed by default on any n8n instance with active form workflows. A single malicious HTTP request can exfiltrate server credentials.
High-Value Targets on an n8n Server
/root/.n8n/database.sqlite— all workflow credentials in plaintext/etc/passwd,/etc/shadow— system user accounts~/.aws/credentials— AWS access keys.envfiles — API keys, database passwords/proc/self/environ— runtime environment variables- SSH private keys, TLS certificates, application configs
Affected Versions
- Vulnerable: n8n 1.65.0 through 1.120.x (all releases)
- Not vulnerable: Versions below 1.65.0 (feature not present), 1.121.0 and above (patched)
Detection Methods
Check Your n8n Version
# Check installed version n8n --version # or cat node_modules/n8n/package.json | grep '"version"' # Docker docker exec n8n-container n8n --version
Audit Active Form Workflows
Review all workflows with Form Trigger nodes. Any workflow that reads files or processes file paths from form inputs should be treated as potentially vulnerable until patched. Disable public form workflows on unpatched instances.
🔍 KENSAI Detection: KENSAI detects path traversal vulnerabilities including CVE-2026-21858 by testing all form endpoints and webhook inputs with directory traversal payloads. Our scanner identifies accessible n8n instances and automatically tests for this vulnerability pattern.
Mitigation Steps
- Upgrade to n8n v1.121.0 immediately — this is the only complete fix.
- Temporary mitigation: Disable all form-trigger workflows until you can upgrade.
- Network isolation: Place n8n behind authentication (VPN, SSO) to prevent unauthenticated access.
- Rotate all credentials: If you ran a vulnerable version with public form workflows, assume all credentials stored in n8n are compromised — rotate them immediately.
- Review access logs: Check for path traversal patterns (
../,%2e%2e%2f) in webhook request logs.
KENSAI Detection Capability
KENSAI scans for CVE-2026-21858 and path traversal vulnerabilities across all automation platforms:
- Automated path traversal testing on webhook and form endpoints
- n8n version fingerprinting and vulnerability correlation
- Credential exposure assessment for automation platform deployments
- Continuous monitoring for newly exposed form workflow endpoints
Is Your n8n Instance Exposed?
KENSAI identifies vulnerable automation platforms and tests for CVE-2026-21858. Protect your workflow credentials before attackers drain them.
Scan Your Automation Stack FreePublished by the KENSAI Security Research Team · More CVE Analysis