Cybersecurity researchers have disclosed a new critical flaw in the popular workflow automation platform n8n that could allow unauthenticated attackers to fully compromise vulnerable systems. The issue, tracked as CVE-2026-21858 and assigned a maximum CVSS score of 10.0, is being described as one of the most severe n8n vulnerabilities reported to date.The n8n vulnerability was discovered and responsibly disclosed by security researcher Dor Attias on November 9, 2025. n8n later confirmed the issue in a security advisory, warning that attackers could access files on the underlying server through certain form-based workflows.According to n8n, “A vulnerability in n8n allows an attacker to access files on the underlying server through execution of certain form-based workflows. A vulnerable workflow could grant access to an unauthenticated remote attacker.” The company noted that the flaw could expose sensitive data and potentially enable further compromise depending on configuration and usage.CVE-2026-21858 is a Content-Type confusion bug tied to how the n8n webhook processes incoming HTTP requests. The webhook parses requests differently based on the Content-Type header, creating a gap that attackers can exploit to manipulate file-handling behavior.
How the n8n Webhook Content-Type Confusion Is Exploited
The vulnerability stems from how n8n handles form submissions. When a request is processed, the platform uses parseRequestBody() to determine whether to invoke a file upload parser or a regular body parser. If multipart/form-data is specified, uploaded files are parsed and stored in req.body.files.However, researchers found that certain file-handling functions are executed without verifying the Content-Type header. As a result, attackers can override req.body.files even when no file upload is present.“Since this function is called without verifying the content type is ‘multipart/form-data,’ we control the entire req.body.files object,” Attias explained. This allows an attacker to copy any local file from the server instead of an uploaded file, exposing sensitive system data to downstream workflow nodes.
n8n Vulnerability Enables Admin Bypass and Remote Code Execution
The impact of CVE-2026-21858 extends beyond arbitrary file reads. Researchers demonstrated how attackers could escalate the flaw into a full system compromise. By abusing the n8n vulnerability, a threat actor could read the internal SQLite database at /home/node/.n8n/database.sqlite, extract administrator credentials, and then retrieve encryption secrets from /home/node/.n8n/config.Using this information, attackers could forge a valid admin session cookie, bypass authentication, and gain full administrative access. From there, they could create a malicious workflow containing an “Execute Command” node, achieving remote code execution on the host system.Cyera warned that the centralized nature of n8n significantly amplifies the risk. “A compromised n8n instance doesn’t just mean losing one system; it means handing attackers the keys to everything,” the company said, citing stored API credentials, OAuth tokens, and database connections as high-value targets.
Patch Status and Mitigations for CVE-2026-21858
The n8n vulnerability affects all versions up to and including 1.65.0 and was patched in version 1.121.0, released on November 18, 2025. Users are strongly urged to upgrade to a fixed or newer release, such as versions 1.123.10, 2.1.5, 2.2.4, or 2.3.0.As additional mitigations, administrators are advised to avoid exposing n8n instances to the internet, enforce authentications for all Forms, and restrict or disable publicly accessible n8n webhook and form endpoints until patches can be applied.The disclosure of CVE-2026-21858 follows several other critical issues in n8n, including CVE-2025-68668 and CVE-2025-68613, highlighting the need for rigorous security controls around automation platforms that manage sensitive integrations and credentials.
A newly disclosed n8n vulnerability has been confirmed to allow authenticated users to execute arbitrary system commands on affected servers. The issue, tracked as CVE-2025-68668, has been assigned a CVSS score of 9.9, placing it firmly in the critical severity range. The flaw impacts the open-source workflow automation platform n8n and affects a broad range of deployed versions.n8n is commonly used to design and run automated workflows that connect applications, services, and scripts. Due to its role in handling sensitive integrations and credentials, security vulnerabilities within the platform can have significant consequences.
Sandbox Bypass in the Python Code Node
The n8n vulnerability affects all versions from 1.0.0 up to, but not including, 2.0.0. According to the advisory, an authenticated user who has permission to create or modify workflows can exploit the issue to execute arbitrary operating system commands on the host running n8n. The vulnerability has been categorized as a protection mechanism failure.The root cause lies in a sandbox bypass within the Python Code Node, which uses Pyodide to execute Python code. The advisory describes the issue clearly: “A sandbox bypass vulnerability exists in the Python Code Node that uses Pyodide. An authenticated user with permission to create or modify workflows can exploit this vulnerability to execute arbitrary commands on the host system running n8n, using the same privileges as the n8n process.”While the attacker does not automatically gain higher privileges than the n8n service itself, the ability to run system commands at that level may still allow for data access, lateral movement, or further compromise depending on how the instance is deployed. The flaw was published under GHSA-62r4-hw23-cc8v, with security researcher csuermann credited for the report. The affected package is the n8n npm package, and the issue remained present until it was fully addressed in version 2.0.0.
Patch Details and Security Improvements
The CVE-2025-68668 issue has been resolved in n8n version 2.0.0, which is now listed as the patched release. However, security improvements related to this issue were introduced earlier. In n8n version 1.111.0, the project added a task runner–based native Python implementation as an optional feature. This implementation was designed to provide a stronger isolation model than the Pyodide-based sandbox used by the Python Code Node.To enable this more secure execution environment in affected versions, administrators must configure the N8N_RUNNERS_ENABLED and N8N_NATIVE_PYTHON_RUNNER environment variables. With the release of n8n 2.0.0, this task runner–based Python sandbox became the default behavior, effectively mitigating the sandbox bypass that made CVE-2025-68668 exploitable.The introduction of this default setting marks an architectural change aimed at reducing the attack surface associated with executing Python code inside workflows. It also reflects a broader shift toward isolating potentially dangerous operations more rigorously within automation platforms.
Mitigations, Workarounds, and Broader Context for CVE-2025-68668
For organizations that cannot immediately upgrade, n8n has outlined several workarounds to limit exposure to the n8n vulnerability. One option is to completely disable the Code Node by setting the environment variable NODES_EXCLUDE to ["n8n-nodes-base.code"]. Another mitigation is to disable Python support in the Code Node entirely by setting N8N_PYTHON_ENABLED=false, a configuration option introduced in n8n version 1.104.0. Administrators can also proactively enable the task runner–based Python sandbox using N8N_RUNNERS_ENABLED and N8N_NATIVE_PYTHON_RUNNER.The disclosure of CVE-2025-68668 follows another recently addressed critical flaw, CVE-2025-68613, which also carried a CVSS score of 9.9 and could lead to arbitrary code execution under certain conditions.
Login
