n8n Authentication Bypass Vulnerability (CVE-2026-21858) Actively Exploited

A new critical authentication bypass vulnerability impacting the workflow automation platform n8n identified by reference CVE-2026-21858 has been revealed the 7th of January 2026. It has been assigned a CVSS 3.1 score of 10. It should be noted that it is actively exploited and the technical details allowing an attacker to exploit this CVE-2026-21858 are public and ongoing exploitation attempts have been detected Initial vector attack of the n8n vulnerability The vulnerability allows an unauthenticated attacker to arbitrary and remotely read files stored on the platform which can lead up to the steal of an administrator session. Technical details of the n8n vulnerability When a file is uploaded on the platform, no check is done on the “Content-Type” field of the HTTP header. A threat actor can then manipulate the behavior of the file upload mechanism in order to force the server to read the content of other files stores on the same platform. The threat actor can then query the AI agent about the content of those files in order to gain access to their potential secrets. Attack modelling with MITRE ATT&CK T1190: Exploit Public-Facing Application How to protect against the n8n vulnerability with Stormshield Network Security Protection against CVE-2026-21858 Stormshield Network Security (SNS) firewalls detect and block exploitation of CVE-2026-21858 with its protocol inspection: http:mix.364 = Web : Possible exploitation of a Content-Type confusion in an n8n platform (CVE-2026-21858) Recommandations regarding the n8n vulnerability It is highly recommended to update the n8n platform to the version 1.121.0 or above.