n8n CVE-2026-21858: How an LLM Chatbot Node Became a Full RCE Chain

Step 1 — Find a public Form Trigger workflow

The only precondition for exploitation is that the attacker can reach an n8n Form Trigger endpoint without authentication. These live at predictable paths like /form/<form-id> or /webhook/<path>, and n8n will happily render them for anonymous users unless you've put the instance behind SSO or a VPN. A quick Shodan sweep on port 5678 and the n8n HTTP banner returns thousands of instances — the same shape of exposure we saw with Flowise and Langflow in the last two quarters.

Step 2 — Override `req.body.files` with a server-side path

The vulnerable code path parses the upload body before confirming the request is actually a file upload. The attacker sends a POST to the form endpoint with a Content-Type the parser mishandles and a body that sets files to a reference to a local file such as /etc/passwd, /home/node/.n8n/config, or /home/node/.n8n/database.sqlite. n8n dutifully attaches that file to the form submission as if the user had uploaded it — except the "user" never had to. At this point the attacker has unauthenticated arbitrary file read. On most deployments that alone is enough to walk off with .env files, SSH keys, and any secrets the n8n process user can see.

Step 3 — Use the LLM chatbot node as an exfiltration oracle

This is where the bug becomes interesting. If the Form Trigger feeds a workflow that contains an LLM Chat node (OpenAI, Anthropic, Azure, local Ollama — it doesn't matter), the attacker-injected file lands in the model's context. The attacker then opens the chat interface and asks: The model, having no idea it is being weaponized, obediently returns the contents of database.sqlite, .env, or /etc/shadow as chat output. The LLM is doing exactly what it was designed to do; it just happens to be reading files chosen by someone who never logged in. This is the pattern we called out in our write-up on how to protect AI agents against prompt injection attacks. LLM nodes that accept file attachments are, by construction, content-exfiltration oracles. Once an attacker controls the file input, the model is the loot printer.

Step 4 — Read the SQLite database and the encryption key

Default n8n stores everything in ~/.n8n/database.sqlite: users, credentials (encrypted), workflows, execution history. The encryption key for those credentials lives in the environment variable N8N_ENCRYPTION_KEY, which by default is written to ~/.n8n/config on first boot. Both files are readable by the n8n process user, which means both are reachable through Step 2's file read. The attacker asks the chatbot to dump database.sqlite (or reads it directly as binary from the file-read primitive), extracts the admin users row, and grabs the N8N_ENCRYPTION_KEY from config. That key decrypts every stored credential in the database — API keys for OpenAI, Slack tokens, database passwords, Google service accounts. If your n8n was the orchestrator for your internal tooling, the attacker now owns all of it.

Step 5 — Forge an admin session cookie

n8n signs session cookies with a secret that lives in the same config file the attacker just read. With the admin user ID from the SQLite dump and the session secret from config, the attacker forges a valid n8n-auth cookie and logs in as admin. No password reset, no email, no MFA — the session validation code simply trusts the signature.

Step 6 — Drop an Execute Command node for RCE

Authenticated as admin, the attacker creates a new workflow with an Execute Command node — a first-class n8n node that runs arbitrary shell on the host — wired to a webhook trigger. They hit the webhook. The n8n worker runs the command as whatever user it executes under, which in the default Docker image is node but in plenty of real-world installs is root because someone bind-mounted /var/run/docker.sock "just for now." Game over. The full chain — from zero knowledge to root shell — is a single HTTP request loop and takes under a minute in Horizon3.ai's PoC. The Execute Command node is the sharp end, but the LLM chatbot node is what makes the file-read step trivially useful. Without it, the attacker would need to script the raw file-read endpoint; with it, they just ask politely.

1. Patch to 1.121.0

For Docker deployments: For npm-based installs: For Kubernetes with the community Helm chart, bump image.tag: 1.121.0, helm upgrade, and confirm the new pod is running before deleting the old one.

2. Pull the instance off the public internet

Patching closes this CVE. It does not close the class of bug, and Cyera's own disclosure timeline noted the researcher found adjacent issues while auditing. Any self-hosted AI workflow platform that lets end users wire LLMs to shell nodes belongs behind authentication — full stop. Put n8n behind one of: Cloudflare Access with SSO, Tailscale or WireGuard, an internal ALB with OIDC, or at minimum HTTP Basic auth at the reverse proxy layer (N8N_BASIC_AUTH_ACTIVE=true, N8N_BASIC_AUTH_USER, N8N_BASIC_AUTH_PASSWORD). Form Triggers that must be public should live on a separate, minimal instance with no credentials, no Execute Command node, and no shared encryption key.

3. Rotate every secret n8n could see

Assume the attacker already read your database. Rotate: Then rotate every secret stored as an n8n credential: OpenAI and Anthropic API keys, Slack/Discord/Telegram bot tokens, database passwords, SMTP passwords, Google service account JSON, webhook signing secrets. If you have no way to tell whether you were exploited pre-patch, the only safe assumption is that everything in the credentials table is burned. Also rotate anything the n8n process user could reach on the host — SSH keys in the user's home, .aws/credentials, .kube/config, mounted Docker socket, anything in /etc that was world-readable.

4. Exposure audit

Check your reverse proxy and load balancer logs for POST requests to /form/, /webhook/, and /rest/ endpoints between now and the earliest date your instance was internet-reachable. Look specifically for: If you find any of those, treat it as a confirmed breach: rebuild the host from a known-good image, rotate everything downstream, and start an incident timeline.

• POST bodies containing path traversal (.., /etc/, .env, database.sqlite, config)
• Unusual Content-Type headers on upload endpoints
• Newly created workflows you don't recognize, especially ones containing Execute Command or Code nodes
• Any workflow execution whose output contains shell prompts, passwd-style colon-separated rows, or base64 blobs you didn't put there

Network boundary

• [ ] Instance is not directly reachable from the public internet. SSO, VPN, or mTLS sits in front of every endpoint including /webhook, /form, and /rest.
• [ ] Separate instance for public-facing Form Triggers — no credentials, no shell nodes, no shared encryption key with the internal instance.
• [ ] Reverse proxy enforces method and content-type allowlists on upload endpoints.
• [ ] Outbound network from the worker is restricted to the LLM provider, vector DB, and specific API endpoints the workflows need — nothing else.

Runtime isolation

• [ ] Worker runs as a non-root, dedicated UID. No bind-mounted Docker socket, no --privileged, no /var/run/docker.sock.
• [ ] Root filesystem is read-only. Only ~/.n8n and /tmp are writable, and /tmp is a tmpfs with a size cap.
• [ ] Container runs with --security-opt no-new-privileges, a seccomp profile, and AppArmor or SELinux enforcement.
• [ ] Secrets live in an external secret store (Vault, AWS Secrets Manager, Doppler) and are injected at runtime — not stored in n8n credentials where a single key decrypts them all.

Node allowlisting

Example environment config for a hardened production n8n:

• [ ] Dangerous node types are disabled via NODES_EXCLUDE unless an explicit workflow needs them. At minimum block: n8n-nodes-base.executeCommand, n8n-nodes-base.ssh, n8n-nodes-base.code, n8n-nodes-base.readBinaryFile, n8n-nodes-base.writeBinaryFile.
• [ ] Code nodes (JavaScript/Python) are disabled in any environment where non-trusted users can author workflows.
• [ ] LLM nodes have file and tool access explicitly scoped via allowlist — not "any file under the n8n user's home."

LLM-specific controls

This is the part most hardening guides skip. An LLM node is not just another HTTP client — it is a capability boundary. The last one is the lesson of Ni8mare in a single bullet. If an LLM node and an Execute Command node can be reached from the same unauthenticated entry point, the only thing standing between an attacker and root shell is a polite conversation.

• [ ] Every LLM node that can read files has an explicit file allowlist. No * paths, no "whatever the Form Trigger hands me."
• [ ] LLM tool calls are logged with the full tool name, argument, and calling workflow. Anomalous paths (.., /etc, .env, database.sqlite) trigger alerts.
• [ ] Tool outputs that contain credential-shaped patterns (base64 blobs, BEGIN RSA PRIVATE KEY, sk-, xoxb-, JWTs) are redacted before being returned to the chat surface.
• [ ] LLM nodes do not share a trust boundary with shell-exec nodes in the same workflow unless the workflow is explicitly audited and non-public.