GHSA-V4PR-FM98-W9PG

Vulnerability from github – Published: 2026-01-07 19:20 – Updated: 2026-01-08 20:10
VLAI?
Summary
n8n Vulnerable to Unauthenticated File Access via Improper Webhook Request Handling
Details

Impact

A vulnerability in n8n allows an attacker to access files on the underlying server through execution of certain form-based workflows. A vulnerable workflow could grant access to an unauthenticated remote attacker. This could result in exposure of sensitive information stored on the system and may enable further compromise depending on deployment configuration and workflow usage.

Patches

The issue has been fixed in n8n version 1.121.0. Users should upgrade to this version or later to remediate the vulnerability.

Workarounds

No official workarounds are available. As a temporary mitigation, users may restrict or disable publicly accessible webhook and form endpoints until upgrading.

Severity ?
10.0 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "n8n"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.65.0"
            },
            {
              "fixed": "1.121.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-21858"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-07T19:20:19Z",
    "nvd_published_at": "2026-01-08T00:15:59Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\nA vulnerability in n8n allows an attacker to access files on the underlying server through execution of certain form-based workflows. A vulnerable workflow could grant access to an unauthenticated remote attacker. This could result in exposure of sensitive information stored on the system and may enable further compromise depending on deployment configuration and workflow usage.\n\n### Patches\nThe issue has been fixed in n8n version 1.121.0. Users should upgrade to this version or later to remediate the vulnerability.\n\n### Workarounds\nNo official workarounds are available. As a temporary mitigation, users may restrict or disable publicly accessible webhook and form endpoints until upgrading.",
  "id": "GHSA-v4pr-fm98-w9pg",
  "modified": "2026-01-08T20:10:17Z",
  "published": "2026-01-07T19:20:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-v4pr-fm98-w9pg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21858"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/n8n-io/n8n"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "n8n Vulnerable to Unauthenticated File Access via Improper Webhook Request Handling"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.