n8n RCE in workflow automation: what IAM teams need to know

TL;DR: A CVE-2026-21858 flaw in n8n lets unauthenticated attackers exploit Content-Type confusion in webhook and file-handling logic to read secrets, forge sessions, and reach code execution on exposed instances, according to Orca Security. The issue shows how automation platforms can turn one parser bug into full infrastructure compromise when identity and request boundaries blur.

NHIMG editorial — based on content published by Orca Security: n8n CVE-2026-21858 content-type confusion vulnerability analysis

Questions worth separating out

Q: What breaks when a workflow automation platform has a Content-Type confusion flaw?

A: The parser can be tricked into trusting attacker-controlled request state, which means unauthenticated input may reach file access or execution paths that were meant to stay protected.

Q: Why are workflow automation platforms so dangerous when they store secrets?

A: They sit close to both identity material and downstream integrations, so a compromise can expose the credentials that unlock many other systems.

Q: How can security teams limit blast radius in self-hosted automation systems?

A: Segment the automation host, reduce connector scope, and remove any access the platform does not need to complete its work.

Practitioner guidance

• Patch vulnerable n8n instances immediately Upgrade self-hosted deployments to version 1.121.0 or later, then verify that every exposed webhook and file-handling path is running the fixed build.
• Inventory secrets stored in automation platforms Map which credentials, tokens, and certificates the workflow engine can access, then reduce stored secret scope to the minimum needed for each integration.
• Reduce webhook trust and file access reach Restrict external webhook exposure, isolate file upload handling, and remove unnecessary filesystem permissions from the automation runtime.

What's in the full article

Orca Security's full analysis covers the operational detail this post intentionally leaves for the source:

• Exact affected versions and the upgrade path to n8n 1.121.0 or later.
• The request patterns used to trigger the Content-Type confusion flaw in webhook and file-handling logic.
• Exposure context for internet-facing instances and how runtime reachability changes risk.
• Why the published proof-of-concept makes prioritisation and validation more urgent for self-hosted deployments.

👉 Read Orca Security's analysis of the n8n CVE-2026-21858 takeover risk →

n8n RCE in workflow automation: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →