CVE-2026-21858

Name of the Vulnerable Software and Affected Versions n8n versions 1.65.0 through 1.120.x

Description A content-type confusion issue exists in the way the platform processes form-based webhook requests. When a request is sent, the system determines the parser based on the Content-Type header; however, the Form Webhook Node fails to properly validate this header. An attacker can change the Content-Type from multipart/form-data to application/json to bypass the secure file upload parser and trigger the parseBody() function. This allows the attacker to override the req.body.files object and specify an arbitrary filepath (e.g., /etc/passwd or the local SQLite database), leading to arbitrary file reads. By accessing the database and encryption secrets, an attacker can forge admin session cookies to gain full control and execute arbitrary code via the Execute Command node. Approximately 100,000 servers worldwide are estimated to be affected. Real-world scanning campaigns originating from France have been observed using a specialized user agent n8n-scanner/1.0 to identify vulnerable endpoints.

Recommendations Update to version 1.121.0 or later. As a temporary mitigation, restrict or disable publicly accessible webhook and form endpoints. Configure authentication for all public forms within workflow settings. Block requests to file upload forms that use the application/json content type. Avoid exposing the platform directly to the internet without a VPN or additional authentication layers.