vulnerability

n8n:CVE-2026-21858: Content-Type confusion in webhook handlers allows unauthenticated remote code execution (Ni8mare)

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
10	(AV:N/AC:L/Au:N/C:C/I:C/A:C)	Jan 7, 2026	Jan 9, 2026	Jan 9, 2026

Severity

CVSS

(AV:N/AC:L/Au:N/C:C/I:C/A:C)

Published

Jan 7, 2026

Added

Jan 9, 2026

Modified

Jan 9, 2026

Description

A critical Content-Type confusion vulnerability exists in n8n's webhook and form-handling middleware. An unauthenticated attacker can send a specially crafted HTTP request with a manipulated Content-Type header to bypass file-upload security checks. This allows the attacker to read arbitrary local files (such as the database and encryption keys), forge administrator sessions, and ultimately achieve full remote code execution on the host. This issue affects all n8n versions prior to 1.121.0.

Solution

n8n-upgrade-1_121_0

References

CWE-306
CVE-2026-21858
https://attackerkb.com/topics/CVE-2026-21858
https://nvd.nist.gov/vuln/detail/CVE-2026-21858

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report