Back

Two Critical n8n Vulnerabilities: Patch Fast, Reduce Exposure

Publication date: 2026-01-08
WARNING

Two Critical n8n Vulnerabilities

Two critical vulnerabilities disclosed in January 2026 place many n8n deployments at serious risk. When combined, these issues can allow attackers to move from no access at all to full system compromise.

At BaseFortify, we have published annotated CVE reports for both vulnerabilities, including attack-flow graphs, practical Q&A, and an AI assistant to help translate technical details into actionable risk.

 

CVE-2026-21877 — Authenticated Remote Code Execution

CVE-2026-21877 affects n8n versions 0.121.2 and below and allows an authenticated user to execute arbitrary code via the n8n service. In practice, this means that any compromised or overly trusted account with workflow access could escalate to full server control.

The root cause lies in unsafe handling of uploaded files and dynamically executed code (CWE-434, CWE-94). Once exploited, attackers can steal secrets, install persistence, or pivot to other connected systems.

Fixed in: n8n 1.121.3

See our annotated report with the Attack Flow Graph and AI Q&A: https://basefortify.eu/cve_reports/2026/01/cve-2026-21877.html

 

CVE-2026-21858 — Unauthenticated File Access (“Ni8mare”)

CVE-2026-21858 is even more severe. It allows a remote, unauthenticated attacker to read arbitrary files from the n8n server by abusing certain form-based workflows.

Due to improper input validation (CWE-20) and a Content-Type handling flaw, attackers can read sensitive files such as the n8n database and configuration. Researchers have shown how this can be chained into admin takeover and remote code execution.

Fixed in: n8n 1.121.0

Full BaseFortify analysis with attack paths and mitigation Q&A: https://basefortify.eu/cve_reports/2026/01/cve-2026-21858.html

 

Quick checks you can do now

Even without deep security tooling, you can perform a few basic checks:

1) Check your n8n version
  • In the UI: Settings → About
  • Or via CLI / container logs:
n8n --version

If you are below 1.121.3, assume you are vulnerable to at least one of these issues.

2) Review exposure
  • Is n8n reachable from the internet?
  • Are any Forms or Webhooks publicly accessible?
  • Do untrusted users have permission to create or edit workflows?
3) Immediate mitigation
  • Upgrade to the latest n8n release
  • Disable unused nodes (notably Git and Execute Command)
  • Enforce authentication on all forms and webhooks

Our BaseFortify CVE pages include step-by-step mitigation guidance and let you ask follow-up questions via the built-in AI assistant.

 

Why these vulnerabilities matter

n8n often acts as a central automation hub, holding API keys, OAuth tokens, database credentials, and cloud secrets. A compromised n8n instance is not “just another server”—it is a single point of failure with a very large blast radius.

This also has implications for compliance (GDPR, HIPAA, ISO 27001), as uncontrolled access to sensitive data can quickly escalate into reportable incidents.

 

How BaseFortify.eu helps

BaseFortify.eu goes beyond raw CVE listings. For vulnerabilities like these, we provide:

  • Annotated CVE reports with real attack context
  • Attack Flow Graphs (CVE → CWE → CAPEC → ATT&CK)
  • AI-powered Q&A to explain impact and mitigation in plain language
  • A consistent way to assess what matters to your environment

If you want earlier insight and clearer guidance on vulnerabilities that affect your stack, you can create a free account here: https://basefortify.eu/register

 

Resources used