CVE-2026-21858
Unknown Unknown - Not Provided

Unauthenticated File Access Vulnerability in n8n Workflows

Vulnerability report for CVE-2026-21858, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-08

Last updated on: 2026-01-08

Assigner: GitHub, Inc.

Description

n8n is an open source workflow automation platform. Versions below 1.121.0 enable an attacker to access files on the underlying server through execution of certain form-based workflows. A vulnerable workflow could grant access to an unauthenticated remote attacker, resulting in exposure of sensitive information stored on the system and may enable further compromise depending on deployment configuration and workflow usage. This issue is fixed in version 1.121.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-08
Last Modified
2026-01-08
Generated
2026-07-06
AI Q&A
2026-01-08
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
n8n-io n8n to 1.65.0 (inc)
n8n-io n8n 1.121.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in n8n, an open source workflow automation platform, allows unauthenticated remote attackers to access files on the underlying server by exploiting certain form-based workflows. It is caused by improper input validation in webhook requests, enabling attackers to bypass security boundaries and access sensitive information without any privileges or user interaction. The issue affects versions up to 1.65.0 and is fixed in version 1.121.0. [1]

Impact Analysis

The vulnerability can lead to exposure of sensitive information stored on the system and may enable further compromise depending on deployment configuration and workflow usage. It results in high confidentiality and integrity loss, allowing attackers to access and potentially manipulate sensitive data without authorization. There is no impact on availability. [1]

Mitigation Strategies

Users should upgrade n8n to version 1.121.0 or later to fix the vulnerability. Until the patch is applied, temporarily restricting or disabling publicly accessible webhook and form endpoints may mitigate the risk. [1]

Compliance Impact

The vulnerability allows unauthenticated remote attackers to access sensitive information stored on the system, which could lead to exposure of personal or protected data. This exposure may result in non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding sensitive information against unauthorized access. Therefore, until the vulnerability is patched, affected systems may be at risk of violating these compliance standards. [1]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21858. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart