A new critical authentication bypass vulnerability impacting the workflow automation platform n8n identified by reference CVE-2026-21858 has been revealed the 7th of January 2026. It has been assigned a CVSS 3.1 score of 10.
It should be noted that it is actively exploited and the technical details allowing an attacker to exploit this CVE-2026-21858 are public and ongoing exploitation attempts have been detected
Initial vector attack of the n8n vulnerability
The vulnerability allows an unauthenticated attacker to arbitrary and remotely read files stored on the platform which can lead up to the steal of an administrator session.
Technical details of the n8n vulnerability
When a file is uploaded on the platform, no check is done on the “Content-Type” field of the HTTP header. A threat actor can then manipulate the behavior of the file upload mechanism in order to force the server to read the content of other files stores on the same platform. The threat actor can then query the AI agent about the content of those files in order to gain access to their potential secrets.
Attack modelling with MITRE ATT&CK
- T1190: Exploit Public-Facing Application
How to protect against the n8n vulnerability with Stormshield Network Security
Protection against CVE-2026-21858
Stormshield Network Security (SNS) firewalls detect and block exploitation of CVE-2026-21858 with its protocol inspection:
- http:mix.364 = Web : Possible exploitation of a Content-Type confusion in an n8n platform (CVE-2026-21858)
Confidence index for the protection offered by Stormshield |
Confidence index for the absence of false positives |
Recommandations regarding the n8n vulnerability
It is highly recommended to update the n8n platform to the version 1.121.0 or above.
