AL26-001 – Vulnerabilities affecting n8n – CVE-2026-21858, CVE-2026-21877 and CVE-2025-68613

Key Takeaways

• Multiple high-severity vulnerabilities discovered in n8n workflow automation software.
• Public Proof-of-Concepts (PoCs) are available, including an exploit chain for unauthenticated Remote Code Execution (RCE).
• CVE-2026-21858 and CVE-2025-68613 can be chained to extract sensitive data and execute arbitrary commands.
• Organizations must upgrade to patched versions immediately or disable publicly accessible webhook and form endpoints.

Affected Systems

• n8n workflow automation software (versions 0.211.0 to prior to 1.122.0, depending on the specific CVE)

Vulnerabilities (CVEs)

• CVE-2026-21858
• CVE-2026-21877
• CVE-2025-68613

Attack Chain

An unauthenticated remote attacker targets a publicly accessible n8n webhook or form endpoint. By exploiting insufficient input validation in the parseRequestBody() function (CVE-2026-21858), the attacker extracts sensitive data. This access is then chained with an expression isolation flaw (CVE-2025-68613) or code injection vulnerability (CVE-2026-21877) to execute arbitrary commands on the underlying server with the privileges of the n8n process.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

No specific detection rules or queries are provided in the advisory.

Detection Engineering Assessment

EDR Visibility: Medium — EDR can detect post-exploitation activity such as unexpected child processes spawning from the n8n process, but may not see the initial web request payload. Network Visibility: Medium — WAFs or network monitoring might detect anomalous webhook payloads or exploit signatures if the PoC traffic patterns are known, though HTTPS encryption may obscure the payload. Detection Difficulty: Moderate — Detecting the specific exploit requires deep packet inspection or application-level logging of webhook payloads, but post-exploitation process execution from the n8n service is easier to spot.

Required Log Sources

• Web server access logs
• n8n application logs
• Process creation logs (Event ID 4688 / Sysmon Event ID 1)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for unexpected child processes (e.g., shell execution) spawning from the n8n application process, indicating potential remote code execution.	Process creation logs (EDR/Sysmon)	Execution	Low
Monitor for anomalous or excessively large payloads sent to n8n webhook endpoints, particularly those attempting to manipulate the parseRequestBody() function.	Web Application Firewall (WAF) or Reverse Proxy logs	Initial Access	Medium

Control Gaps

• Lack of strict input validation on webhooks
• Insufficient isolation of user-supplied expressions

Key Behavioral Indicators

• n8n process spawning cmd.exe, sh, or bash
• Anomalous HTTP POST requests to webhook endpoints

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Upgrade n8n instances to patched versions (1.120.4, 1.121.0, 1.121.1, 1.121.3, or 1.122.0).
• If patching is not immediately possible, restrict or disable publicly accessible webhook and form endpoints.

Infrastructure Hardening

• Isolate web-facing applications from critical internal networks.
• Implement a Web Application Firewall (WAF) to filter anomalous webhook requests.

User Protection

• Ensure the n8n service runs with the principle of least privilege to limit the impact of arbitrary code execution.

Security Awareness

• Review and implement the Cyber Centre's Top 10 IT Security Actions, focusing on patching and hardening operating systems and applications.

MITRE ATT&CK Mapping

• T1190 - Exploit Public-Facing Application
• T1059 - Command and Scripting Interpreter