GHSA-v4pr-fm98-w9pg

Source

https://github.com/advisories/GHSA-v4pr-fm98-w9pg

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-v4pr-fm98-w9pg/GHSA-v4pr-fm98-w9pg.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-v4pr-fm98-w9pg

Aliases

CVE-2026-21858

Published

2026-01-07T19:20:19Z

Modified

2026-02-03T03:01:21.697680Z

Severity

10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N CVSS Calculator

Summary

n8n Vulnerable to Unauthenticated File Access via Improper Webhook Request Handling

Details

Impact

A vulnerability in n8n allows an attacker to access files on the underlying server through execution of certain form-based workflows. A vulnerable workflow could grant access to an unauthenticated remote attacker. This could result in exposure of sensitive information stored on the system and may enable further compromise depending on deployment configuration and workflow usage.

Patches

The issue has been fixed in n8n version 1.121.0. Users should upgrade to this version or later to remediate the vulnerability.

Workarounds

No official workarounds are available. As a temporary mitigation, users may restrict or disable publicly accessible webhook and form endpoints until upgrading.

Database specific

{
    "nvd_published_at": "2026-01-08T00:15:59Z",
    "cwe_ids": [
        "CWE-20"
    ],
    "github_reviewed_at": "2026-01-07T19:20:19Z",
    "severity": "CRITICAL",
    "github_reviewed": true
}

References

Affected packages

npm / n8n

Package

Name: n8n; View open source insights on deps.dev
Purl: pkg:npm/n8n

Affected ranges

Type: SEMVER
Events: Introduced

1.65.0

Fixed

1.121.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-v4pr-fm98-w9pg/GHSA-v4pr-fm98-w9pg.json"