vulnerability

n8n:CVE-2026-21858: Content-Type confusion in webhook handlers allows unauthenticated remote code execution (Ni8mare)

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
10	(AV:N/AC:L/Au:N/C:C/I:C/A:C)	Jan 7, 2026	Jan 9, 2026	Jan 9, 2026

Severity

CVSS

(AV:N/AC:L/Au:N/C:C/I:C/A:C)

Published

Jan 7, 2026

Added

Jan 9, 2026

Modified

Jan 9, 2026

Description

A critical Content-Type confusion vulnerability exists in n8n's webhook and form-handling middleware. An unauthenticated attacker can send a specially crafted HTTP request with a manipulated Content-Type header to bypass file-upload security checks. This allows the attacker to read arbitrary local files (such as the database and encryption keys), forge administrator sessions, and ultimately achieve full remote code execution on the host. This issue affects all n8n versions prior to 1.121.0.

Solution

n8n-upgrade-1_121_0

References

CWE-306
CVE-2026-21858
https://attackerkb.com/topics/CVE-2026-21858
URL-https://nvd.nist.gov/vuln/detail/CVE-2026-21858

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today