CVE-2026-21858: n8n unauthenticated file access
CVE-2026-21858 (n8n unauthenticated file access) is a unauthenticated file access (information disclosure) vulnerability in n8n (npm). As of 2026-06-18 it carries a very high 72.0% probability of exploitation in the next 30 days (EPSS). It is fixed in 1.121.0 — if you depend on an earlier version, upgrade.
| Severity | Critical |
|---|---|
| CVSS vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N |
| EPSS (exploit probability, 30d) | 72.0% · 99th percentile |
| Vulnerability type | Unauthenticated File Access (information disclosure) |
| Affected package | n8n (npm) |
| Fixed in | 1.121.0 |
What is CVE-2026-21858?
n8n, a widely used open-source workflow-automation platform, mishandled certain form-based webhook workflows in versions from 1.65.0 up to (but not including) 1.121.0, letting an unauthenticated remote attacker read files on the underlying server. That exposes sensitive data such as credentials and config and can enable further compromise of the host. Fixed in 1.121.0.
Is CVE-2026-21858 exploitable?
CVE-2026-21858 has an EPSS score of 72.0% (99th percentile), meaning a very high 72.0% probability of exploitation in the next 30 days. Its CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N, which scores as Critical severity. It is a unauthenticated file access (information disclosure) issue.
What is the EPSS score for CVE-2026-21858?
As of 2026-06-18, the EPSS exploit-prediction score for CVE-2026-21858 is 72.0% (99th percentile). EPSS estimates the probability that a vulnerability will be exploited in the wild within the next 30 days and is recomputed daily by FIRST.org.
How do I fix CVE-2026-21858?
Upgrade n8n to 1.121.0 or later. n8n, a widely used open-source workflow-automation platform, mishandled certain form-based webhook workflows in versions from 1.65.0 up to (but not including) 1.121.0, letting an unauthenticated remote attacker read files on the underlying server. That exposes sensitive data such as credentials and config and can enable further compromise of the host. Fixed in 1.121.0.
Am I affected by CVE-2026-21858?
You are affected if your project (directly or transitively) depends on a vulnerable version of n8n in the npm ecosystem. Check your lockfile for the resolved version, or scan automatically with VulnFeed.
Check your own project automatically
Don't eyeball every dependency by hand. VulnFeed reads your lockfile, checks it against the same advisory data, and ranks findings by EPSS — free, no signup (10 scans/day):
curl -s https://vulnfeed-api.novadyne.ai/vulnscan/query \
-H 'content-type: application/json' \
-d '{"ecosystem":"npm","package":"PKG","version":"VERSION"}'
Or run it inside Claude Code with no API key — uvx vulnfeed-mcp — and just ask "scan this project for vulnerabilities."
Data sources: vulnerability metadata from OSV.dev and the National Vulnerability Database; exploit-probability (EPSS) from FIRST.org (recomputed daily; EPSS data shown here as of 2026-06-18). Page generated 2026-06-18.