Threat Signal Report

n8n Unauthenticated Remote Code Execution

What is the Vulnerability?	CVE-2026-21858 arises from a Content-Type confusion flaw in n8n’s webhook and form handling logic. Specifically, certain form-based workflows do not adequately validate or enforce multipart form content types, allowing attackers to override internal request parsing state. This allows unauthenticated attackers to: - Read arbitrary files from the server filesystem - Extract sensitive internal secrets (e.g., database files, auth keys) - Forge valid authentication sessions - Construct workflows that execute arbitrary operating system commands - Fully compromise the host, leading to complete server takeover The issue stems from improper input validation (CWE-20) and flawed logic in how webhook payloads are parsed and handled, enabling manipulation of internal variables that control file handling. Censys telemetry reports an estimated tens of thousands (26,512) of potentially exposed and vulnerable n8n instances when queried across the public internet via service detection. While no confirmed widespread exploitation campaigns have been documented at the time of disclosure, the unauthenticated nature and straightforward exploitability make this highly likely to be weaponized rapidly by scanning and exploitation tools.
What is the recommended Mitigation?	Immediate upgrade to n8n version 1.121.0 or later - which includes fixes for CVE-2026-21858. Official hardening guidance: https://docs.n8n.io/hosting/securing/blocking-nodes/ - Restrict or disable internet exposure of n8n webhook/form endpoints. - Enforce authentication for all form submissions and webhooks. - Audit logs for suspicious access patterns to webhook endpoints. - Rotate any credentials (API keys, tokens) stored in affected n8n instances. - Block high-risk nodes using n8n’s built-in node-blocking capabilities.
What FortiGuard Coverage is available?	FortiGuard Labs is actively monitoring this threat activity and will continue to provide updates as the situation evolves, including new intelligence, indicators, and protection guidance. Meanwhile, it strongly recommends users apply patches as provided by n8n. FortiGuard IPS Service is available to detect and block exploit attempts targeting CVE-2026-21858. Intrusion Prevention \| FortiGuard Labs Lacework FortiCNAPP automatically detects affected packages found in user environments via the Vulnerability Management and Code Security components. Organizations suspecting a compromise can contact the FortiGuard Incident Response team for rapid investigation and remediation support.