CVE-2026-21858
Unknown Unknown - Not Provided
Unauthenticated File Access Vulnerability in n8n Workflows

Publication date: 2026-01-08

Last updated on: 2026-01-08

Assigner: GitHub, Inc.

Description
n8n is an open source workflow automation platform. Versions below 1.121.0 enable an attacker to access files on the underlying server through execution of certain form-based workflows. A vulnerable workflow could grant access to an unauthenticated remote attacker, resulting in exposure of sensitive information stored on the system and may enable further compromise depending on deployment configuration and workflow usage. This issue is fixed in version 1.121.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-08
Last Modified
2026-01-08
Generated
2026-06-16
AI Q&A
2026-01-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-21858
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
n8n-io n8n to 1.65.0 (inc)
n8n-io n8n 1.121.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthenticated remote attackers to access sensitive information stored on the system, which could lead to exposure of personal or protected data. This exposure may result in non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding sensitive information against unauthorized access. Therefore, until the vulnerability is patched, affected systems may be at risk of violating these compliance standards. [1]

Executive Summary

This vulnerability in n8n, an open source workflow automation platform, allows unauthenticated remote attackers to access files on the underlying server by exploiting certain form-based workflows. It is caused by improper input validation in webhook requests, enabling attackers to bypass security boundaries and access sensitive information without any privileges or user interaction. The issue affects versions up to 1.65.0 and is fixed in version 1.121.0. [1]

Impact Analysis

The vulnerability can lead to exposure of sensitive information stored on the system and may enable further compromise depending on deployment configuration and workflow usage. It results in high confidentiality and integrity loss, allowing attackers to access and potentially manipulate sensitive data without authorization. There is no impact on availability. [1]

Mitigation Strategies

Users should upgrade n8n to version 1.121.0 or later to fix the vulnerability. Until the patch is applied, temporarily restricting or disabling publicly accessible webhook and form endpoints may mitigate the risk. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21858. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart