Share
## https://sploitus.com/exploit?id=31B4AEFF-EDDF-5438-A0F4-EA226FBDDF4D
# CVE-2026-21858

## n8n Workflow Automation Platform - Remote Code Execution

A security research tool for detecting CVE-2026-21858, a critical remote code execution vulnerability in the n8n workflow automation platform.

---

## Table of Contents

- [Vulnerability Summary](#vulnerability-summary)
- [Affected Versions](#affected-versions)
- [Technical Analysis](#technical-analysis)
- [Prerequisites](#prerequisites)
- [Installation](#installation)
- [Usage](#usage)
- [Output Reference](#output-reference)
- [Detection Methodology](#detection-methodology)
- [Mitigation and Remediation](#mitigation-and-remediation)
- [Indicators of Compromise](#indicators-of-compromise)
- [Legal Disclaimer](#legal-disclaimer)
- [References](#references)
- [Credits](#credits)

---

## Vulnerability Summary

| Field | Value |
|-------|-------|
| CVE Identifier | CVE-2026-21858 |
| CVSS v3.1 Score | 10.0 (Critical) |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| CWE Classification | CWE-94: Improper Control of Generation of Code |
| Vendor | n8n GmbH |
| Product | n8n Workflow Automation |
| Disclosure Date | January 2026 |
| Patch Available | Yes (v1.121.0+) |

### Executive Summary

A critical vulnerability exists in n8n versions 1.65.0 through 1.120.x that allows unauthenticated remote attackers to execute arbitrary code on the underlying server. The vulnerability is exploited through specially crafted form-based workflows, enabling unauthorized file system access and command execution.

### Impact Assessment

- **Confidentiality**: Complete compromise of system data
- **Integrity**: Arbitrary file modification and code execution
- **Availability**: Potential for complete system takeover or denial of service
- **Scope**: Changed - exploitation may affect resources beyond the vulnerable component

---

## Affected Versions

| Version Range | Status |
|---------------|--------|
| = 1.121.0 | Patched |

---

## Technical Analysis

### Vulnerability Root Cause

The vulnerability originates from insufficient input validation in the form-based workflow execution engine. When processing user-supplied data through form triggers, n8n fails to properly sanitize input parameters before passing them to internal execution contexts.

### Attack Vector

1. Attacker identifies a publicly accessible n8n instance
2. Exploitation targets form-based workflow endpoints
3. Malicious payloads are injected through form input fields
4. The payload executes with the privileges of the n8n service account
5. Arbitrary file read/write and command execution are achieved

### Exploitation Complexity

- **Prerequisites**: Network access to target n8n instance
- **Authentication**: Not required
- **User Interaction**: None
- **Attack Complexity**: Low

---

## Prerequisites

### System Requirements

- Python 3.12 or higher
- Network connectivity to target n8n instance(s)
- Sufficient permissions to execute Python scripts

### Dependencies

| Package | Minimum Version | Purpose |
|---------|-----------------|---------|
| requests | 2.31.0 | HTTP request handling |
| urllib3 | 2.0.0 | URL and connection management |
| packaging | 23.0 | Version comparison logic |

---

## Installation

### Method 1: Using uv (Recommended)

[uv](https://github.com/astral-sh/uv) is a fast Python package installer and resolver.

```bash
# Clone the repository
git clone https://github.com/SystemVll/CVE-2026-21858.git
cd CVE-2026-21858

# Install dependencies and create virtual environment
uv sync

# Run the tool
uv run python main.py -u https://target.example.com
```

### Method 2: Using pip

```bash
# Clone the repository
git clone https://github.com/SystemVll/CVE-2026-21858.git
cd CVE-2026-21858

# Create virtual environment (recommended)
python3 -m venv venv
source venv/bin/activate  # Linux/macOS
# or
.\venv\Scripts\activate   # Windows

# Install dependencies
pip install requests>=2.31.0 urllib3>=2.0.0 packaging>=23.0

# Run the tool
python main.py -u https://target.example.com
```

### Method 3: Manual Installation

```bash
# Ensure Python 3.12+ is installed
python3 --version

# Install required packages
pip install requests urllib3 packaging

# Download and run
curl -O https://raw.githubusercontent.com/SystemVll/CVE-2026-21858/main/main.py
python3 main.py -u https://target.example.com
```

---

## Usage

### Command Line Interface

```
Usage:
    python main.py -u         Scan single target
    python main.py -l       Scan multiple targets from file

Arguments:
    -u    Single target URL
    -l    Path to file containing target URLs (one per line)
```

### Single Target Scan

Test a single n8n instance for the vulnerability:

```bash
python main.py -u https://n8n.example.com
```

```bash
python main.py -u http://192.168.1.100:5678
```

### Bulk Target Scan

Scan multiple targets from a file:

```bash
python main.py -l targets.txt
```

**Target File Format** (`targets.txt`):

```text
https://n8n.company-a.com
https://n8n.company-b.com:5678
http://10.0.0.50:5678
n8n.company-c.com
192.168.1.100:5678
```

Notes:
- One target per line
- URLs without a protocol prefix default to `https://`
- Empty lines are ignored
- Targets are scanned concurrently using threading

---

## Output Reference

### Status Indicators

| Indicator | Color | Description |
|-----------|-------|-------------|
| `[VULNERABLE]` | Green | Target runs a vulnerable n8n version (1.65.0 - 1.120.x) |
| `[SAFE]` | Blue | Target runs a patched version (>= 1.121.0 or < 1.65.0) |
| `[WARNING]` | Yellow | n8n instance detected but version extraction failed |
| `[ERROR]` | Red | Connection failure, timeout, or non-n8n target |

## Detection Methodology

### Version Fingerprinting Process

The tool employs passive version detection through the following steps:

1. **Endpoint Request**: HTTP GET request to `/signin` endpoint
2. **Instance Verification**: Validates target is an n8n installation
3. **Configuration Extraction**: Locates `n8n:config:sentry` meta tag in HTML
4. **Base64 Decoding**: Decodes the embedded Sentry configuration
5. **Version Parsing**: Extracts version string matching pattern `n8n@X.Y.Z`
6. **Vulnerability Assessment**: Compares extracted version against known vulnerable range

### Request Details

```http
GET /signin HTTP/1.1
Host: target.example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9
Accept-Language: en-US,en;q=0.5
Connection: close
```

---

## Mitigation and Remediation

### Immediate Actions

1. **Upgrade n8n**: Update to version 1.121.0 or later immediately
   ```bash
   # Using npm
   npm update -g n8n
   
   # Using Docker
   docker pull n8nio/n8n:latest
   ```

2. **Network Isolation**: Restrict access to n8n instances
   - Implement firewall rules limiting access to trusted IP ranges
   - Place n8n behind a VPN or reverse proxy with authentication

3. **Workflow Audit**: Review all existing workflows
   - Identify and disable form-based workflows temporarily
   - Audit webhook endpoints for unauthorized access

### Long-term Recommendations

| Action | Priority | Description |
|--------|----------|-------------|
| Patch Management | Critical | Establish automated update procedures for n8n |
| Access Control | High | Implement authentication for all n8n endpoints |
| Network Segmentation | High | Isolate n8n from public networks |
| Monitoring | Medium | Deploy logging and alerting for n8n activity |
| Least Privilege | Medium | Run n8n with minimal required permissions |
| Backup | Medium | Maintain regular backups of workflow configurations |

### Verification After Patching

```bash
# Verify n8n version after update
n8n --version

# Or check via this tool
python main.py -u https://your-n8n-instance.com
# Expected: [SAFE] ... Version: 1.121.0+ (not vulnerable)
```

---

## Indicators of Compromise

### Log Analysis

Review n8n and web server logs for the following patterns:

- Unusual POST requests to form trigger endpoints
- Requests containing encoded payloads in form fields
- Access attempts to sensitive file paths via form data
- Unexpected outbound connections from the n8n server

### File System Artifacts

- Unauthorized files in n8n working directories
- Modified workflow configuration files
- Unexpected scripts or executables

### Network Indicators

- Connections to unknown external hosts
- Data exfiltration patterns
- Reverse shell connections originating from n8n process

---

## Legal Disclaimer

**IMPORTANT: READ BEFORE USE**

This tool is provided strictly for:
- Authorized security assessments
- Penetration testing with written permission
- Educational and research purposes
- Defensive security operations

**Prohibited Uses:**
- Unauthorized access to computer systems
- Exploitation of systems without explicit written consent
- Any activity that violates applicable laws or regulations

**Liability:**
The authors and contributors assume no responsibility for misuse of this software. Users are solely responsible for ensuring compliance with all applicable laws and obtaining proper authorization before conducting any security testing.

**Legal Notice:**
Unauthorized access to computer systems is a criminal offense in most jurisdictions, including but not limited to violations of the Computer Fraud and Abuse Act (CFAA) in the United States, the Computer Misuse Act in the United Kingdom, and similar legislation worldwide.

---

## References

### Official Resources

- [n8n Official Website](https://n8n.io)
- [n8n GitHub Repository](https://github.com/n8n-io/n8n)
- [n8n Security Advisories](https://github.com/n8n-io/n8n/security/advisories)

### Vulnerability Databases

- [NVD - CVE-2026-21858](https://nvd.nist.gov/vuln/detail/CVE-2026-21858)
- [MITRE CVE Record](https://vulners.com/cve/CVE-2026-21858)

### Related Documentation

- [CWE-94: Improper Control of Generation of Code](https://cwe.mitre.org/data/definitions/94.html)
- [OWASP Code Injection](https://owasp.org/www-community/attacks/Code_Injection)

---

## Credits

- **Original Research**: Based on Nuclei template by rxerium
- **Framework**: Part of the HGrab Framework
- **Maintainers**: Security Research Community

---

## Changelog

| Version | Date | Changes |
|---------|------|---------|
| 1.0.0 | 2026-01-20 | Initial release |

---

## License

This project is provided as-is for authorized security research purposes only. No warranty is provided, express or implied. Use at your own risk and in accordance with applicable laws.