Ni8mare: Unauthenticated File Read and Instance Takeover in n8n

Repository contains a standalone Python exploit plus a Dockerized lab for reproducing a full unauthenticated-to-RCE chain against n8n. The main exploit file is exploit.py, which implements a multi-stage attack: it first abuses CVE-2026-21858 by POSTing JSON with Content-Type: application/json to a user-supplied form endpoint, crafting a fake uploaded file object whose filepath points to arbitrary local files. This yields arbitrary file read from the n8n host. The script then reads /proc/self/environ to locate HOME, reads $HOME/.n8n/config to recover the encryptionKey, and reads $HOME/.n8n/database.sqlite to extract admin-related data. From that material it forges an n8n-auth admin token/cookie and uses authenticated REST API calls to create/trigger a malicious workflow. For code execution, it abuses CVE-2025-68613 by inserting a JavaScript expression payload into a Set node; the payload reaches this.process.mainModule.require, imports child_process, and executes arbitrary shell commands via execSync. The script supports direct file read mode, single-command execution, and an interactive shell loop. Repository structure is small and purpose-built: exploit.py is the operational exploit; init/setup.sh provisions a local vulnerable n8n instance by creating an admin account, logging in, creating a formTrigger + respondToWebhook workflow, and activating it; Dockerfile installs n8n 1.65.0; docker-compose.yml exposes port 5678 and runs the setup script automatically; pyproject.toml defines Python dependencies (requests, pyjwt) and a console entry point; README.md documents the chain, limitations, references, and lab usage. This is not a detection script and not merely a README—it is a functional PoC/operational exploit with a hardcoded but effective RCE payload and a reproducible local lab.

This repository is a small standalone Python exploit PoC for CVE-2026-21858 affecting n8n. The repo contains one main exploit script (CVE-2026-21858.py), a README with setup/usage instructions, a docker-compose lab for reproducing the issue against n8n 1.120.0, and a minimal requirements file (requests, PyJWT). The exploit chain is multi-stage. First, it abuses a vulnerable form workflow endpoint by POSTing crafted JSON to /form/{form_id} with a fake attachment object whose filepath points to an arbitrary server-side file. It uses this to read /proc/self/environ, then parses HOME and N8N_ENCRYPTION_KEY from the returned content. From HOME it derives the n8n data directory (~/.n8n) and the SQLite database path (~/.n8n/database.sqlite). Next, it downloads the database file through the same file-read primitive and queries the user table for the global owner account. With the extracted encryption key and owner data, it forges an n8n-auth JWT and places it in the session cookie jar. After authentication bypass, the script uses n8n API functionality to validate the token, create a malicious workflow, execute it, poll/fetch the execution result, and print the command output supplied via --command. Finally, it attempts cleanup by archiving and deleting the created workflow artifact. This makes the PoC more than a simple file-read demonstration: it turns unauthenticated file disclosure into authenticated takeover and command execution, assuming the target deployment matches expected n8n filesystem and auth behavior. Repository structure is straightforward: the Python script is the only real code artifact and clear entry point; docker-compose.yml provisions a vulnerable local lab with a predictable N8N_ENCRYPTION_KEY and exposed port 5678; README.md explains how to create a vulnerable form workflow and run the exploit. Overall purpose: demonstrate end-to-end compromise of vulnerable n8n instances via form-based arbitrary file read chained into JWT forgery and malicious workflow execution.

This repository is a standalone exploit/lab for a full n8n attack chain combining CVE-2026-21858 (unauthenticated arbitrary file read via Content-Type confusion on a form upload workflow) with CVE-2025-68613 (expression injection sandbox bypass leading to command execution). The repository contains a Python exploit script, Docker-based vulnerable lab, and a Bash setup script that provisions a vulnerable n8n workflow. Structure: exploit.py is the main exploit entry point. It implements HTTP interaction, arbitrary file read against a supplied form endpoint, SQLite parsing of a downloaded n8n database, and JWT forging for admin authentication. The RCE stage is only stubbed in code, but the README documents the intended JavaScript expression payload using this.process.mainModule.require and child_process.execSync. init/setup.sh configures the local lab by waiting for n8n, creating an owner account, logging in, creating a workflow with a Form Trigger and Respond node, and activating it at /form/vulnerable-form. Dockerfile and docker-compose.yml build and run n8n 1.65.0 with insecure lab settings. Main exploit capabilities: (1) unauthenticated arbitrary file read by POSTing crafted JSON to a vulnerable form endpoint and controlling the file filepath field; (2) extraction of admin id/email/password hash from database.sqlite; (3) derivation of the JWT secret from the encryption key and forging of an n8n-auth cookie; (4) intended authenticated RCE through workflow/expression injection. The implemented code is operational for file read and token forging, while the final command-execution logic is incomplete in exploit.py and described in the README. Notable targets/endpoints include the vulnerable form path, n8n REST API endpoints used by the lab (/rest/settings, /rest/owner/setup, /rest/login, /rest/workflows), and sensitive local files such as /proc/self/environ, $HOME/.n8n/config, and $HOME/.n8n/database.sqlite. Overall, this is a real exploit repository with a working proof-of-concept for the early chain stages and documented end-to-end RCE intent.

Repository purpose: provides a runnable PoC/operational exploit chain (“Ni8mare”) against n8n combining CVE-2026-21858 (unauthenticated arbitrary file read via Content-Type confusion on a Form Trigger upload flow) and CVE-2025-68613 (expression injection leading to sandbox bypass and RCE). Structure: - exploit.py: main Python exploit. Implements (1) unauthenticated file read by POSTing JSON to a user-supplied form webhook path with Content-Type: application/json and a crafted files[].filepath, (2) discovery of HOME via /proc/self/environ, (3) reading $HOME/.n8n/config to obtain encryptionKey, (4) reading $HOME/.n8n/database.sqlite and extracting the global:owner user record, (5) deriving a JWT secret from encryptionKey and forging an admin session cookie (n8n-auth), and (6) authenticated RCE by creating a workflow with a Manual Trigger and a Set node containing a malicious expression that uses this.process.mainModule.require('child_process').execSync to run arbitrary commands. Provides --read for LFI, --cmd for one-shot command execution, and an interactive command loop. - docker-compose.yml + Dockerfile: builds a local vulnerable lab using n8n@1.65.0 exposed on port 5678, with an init volume. - img/setup.sh: automates lab initialization: waits for /rest/settings, creates an owner, logs in, creates and activates a workflow exposing /form/vulnerable-form with a file upload field and Respond node configured to return the uploaded binary—matching the exploit’s prerequisite. - pyproject.toml: Python packaging/entry point (script name: exploit). Key exploit capabilities: - Unauthenticated arbitrary file read from the n8n host/container filesystem by controlling a file path in the form upload handling. - Credential/material extraction (encryptionKey + SQLite DB) and admin token forging to gain authenticated API access. - Remote command execution via expression injection sandbox escape, returning command output; supports interactive mode. Notable targeting details: - Network target is an n8n HTTP service (commonly :5678). The exploit requires a known, reachable form webhook path (e.g., /form/vulnerable-form) that uses a file upload field and Respond node; without that workflow pattern, the chain may not work (as noted in README limitations).

Repository provides an operational exploit chain for n8n 1.120.4 labeled as CVE-2026-21858. Structure: (1) dockerfile + run.bat stand up a local vulnerable n8n instance (port 9000 mapped to localhost) and set N8N_ENCRYPTION_KEY; (2) workflow.txt is a workflow template the victim/admin must import and activate, exposing a Form Trigger webhook and using Extract From File to convert an uploaded file to text; (3) poc.py is the main exploit. poc.py takes a Form Trigger URL, parses it into TARGET_URL and FORM_PATH, then abuses the form submission JSON to supply an arbitrary server-side filepath in the 'files.file.filepath' field. It submits to the form endpoint, reads the returned formWaitingUrl, and fetches the processed output to exfiltrate local files. It specifically reads /home/n8n/.n8n/config to extract 'encryptionKey', derives a 'final_secret' as sha256(enc_key[::2]) hex, then reads /home/n8n/.n8n/database.sqlite to regex-extract an email, a bcrypt password hash, and a nearby UUID (treated as admin/user id). Using these, it computes an 'admin_hash' (base64(sha256(email:bcrypt)) truncated) and forges an HS256 JWT placed in the 'n8n-auth' cookie along with a browser-id header. With this forged authenticated session, it calls the n8n REST API to create a workflow containing the 'n8n-nodes-base.executeCommand' node with attacker-supplied commands, runs the workflow, and retrieves execution output from /rest/executions/{id}. The script then provides an interactive loop ("n8n-shell>") to execute arbitrary commands and print results.

Repository purpose: a full-chain exploit PoC for n8n dubbed “Ni8mare”, chaining CVE-2026-21858 (unauthenticated arbitrary file read via Content-Type confusion on a form upload workflow) with CVE-2025-68613 (expression injection sandbox bypass) to achieve remote code execution. Core exploit (exploit.py, Python): - Implements a Ni8mare class that targets a user-supplied base URL and a specific n8n Form Trigger path. - Stage 1 (Unauthenticated AFR/LFI): POSTs JSON to the form endpoint with header Content-Type: application/json and a crafted body containing files[...].filepath, causing n8n to copy/read an arbitrary server-side file and return its contents. - Uses AFR to read /proc/self/environ to discover HOME, then reads $HOME/.n8n/config to extract encryptionKey, and reads $HOME/.n8n/database.sqlite to extract the global:owner (admin) user record. - Stage 2 (Token forge): derives/uses a JWT secret from encryptionKey (forge_token function is present but truncated in provided content) and sets an authenticated session cookie (n8n-auth) for subsequent REST API calls. - Stage 3 (Authenticated RCE): programmatically creates a workflow containing a Manual Trigger and a Set node whose value is an expression-injection payload. The payload uses this.process.mainModule.require to import child_process and run execSync("CMD"), returning command output. Provides --cmd for single command execution and an interactive loop for repeated commands. - Includes a version check via GET /rest/settings and flags vulnerable if version < 1.121.0. Lab environment: - Dockerfile installs n8n@1.65.0 and exposes port 5678. - docker-compose.yml runs n8n with relaxed cookie settings and executes init/setup.sh after startup. - init/setup.sh creates an owner account, logs in, creates and activates a “Vulnerable Form” workflow (Form Trigger with a file field + Respond node responding with the uploaded binary), and prints the vulnerable form URL. Notable targeting constraints (from README and code): exploit is not universal; it requires an existing (or attacker-created, once authenticated) workflow that uses a Form Trigger with file upload and a Respond node configured to return the binary, because the AFR is triggered through that specific request handling path. No evidence of being part of Metasploit/Nuclei/etc.; it is a standalone Python exploit with a dockerized vulnerable lab.

Repository contains a Python exploit (exploit.py) and a Docker-based vulnerable lab for n8n. Core exploit (exploit.py): Implements a full-chain attack labeled “CVE-2026-21858 + CVE-2025-68613” against n8n. It targets a Form Trigger webhook endpoint (user-supplied form path) to perform unauthenticated arbitrary file read by submitting crafted JSON with a fake uploaded file object containing an attacker-controlled “filepath”. Using LFI, it reads /proc/self/environ to discover HOME, then reads $HOME/.n8n/config to obtain the encryptionKey and $HOME/.n8n/database.sqlite to extract the global owner’s id/email/password hash. It then forges an admin authentication token (used as the n8n-auth cookie) and proceeds to achieve RCE by creating/using workflow nodes containing a JavaScript expression payload that escapes to Node.js require() and executes OS commands via child_process.execSync, returning output. The CLI supports: --read PATH (LFI), --cmd CMD (single command), and an interactive command loop. Lab environment: Dockerfile installs n8n@1.65.0 and exposes port 5678. docker-compose.yml runs n8n with N8N_SECURE_COOKIE=false and WEBHOOK_URL=http://localhost:5678/. init/setup.sh waits for /rest/settings, creates an owner via /rest/owner/setup, logs in via /rest/login, creates a workflow with a Form Trigger (webhookId: vulnerable-form) and Respond node, activates it, and prints the vulnerable form URL (http://localhost:5678/form/vulnerable-form). Overall purpose: Provide an operational PoC/full-chain exploit and a reproducible container lab demonstrating unauthenticated file read leading to admin token forgery and remote command execution on vulnerable n8n instances.

Repository contains a single Python exploit (exploit.py) and a README describing an unauthenticated full-chain RCE against n8n < 1.121.0 by chaining CVE-2026-21858 (content-type confusion leading to arbitrary file read via a public form endpoint) with CVE-2025-68613 (expression injection leading to command execution). Structure & flow: - README.md: documents the attack chain, prerequisites (public form endpoint in an active workflow with file upload + binary response), and usage modes (file read, single command, interactive shell). - exploit.py: implements class Ni8mare that: 1) Targets a user-supplied base URL and form path; uses requests.Session. 2) Performs arbitrary file read by POSTing JSON to the form endpoint with a crafted "files" object containing a chosen "filepath". 3) Reads /proc/self/environ to discover HOME, then reads $HOME/.n8n/config to extract encryptionKey, and $HOME/.n8n/database.sqlite to obtain the user database. 4) Parses the exfiltrated SQLite DB locally (writes to a temp .db file) to locate admin/owner user data (code is partially truncated in provided content but clearly intended to dump/identify admin and derive needed secrets). 5) Forges an admin JWT (stored as cookie n8n-auth) and uses authenticated REST calls (at least /rest/settings is explicit; additional REST endpoints for workflow creation/execution are implied by pwn()/rce() usage). 6) Achieves RCE by constructing workflow nodes (Manual Trigger -> Set) where the Set node value contains a JavaScript expression that calls process.mainModule.require('child_process').execSync("CMD") and returns stdout. Capabilities: - Unauthenticated arbitrary file read (LFI-style) against the form endpoint. - Credential/secret extraction from n8n config and SQLite DB. - Admin token forgery (JWT) and authenticated API interaction. - Remote command execution with output retrieval; supports one-shot commands and an interactive loop. Notable fingerprintable targets/observables: - HTTP GET /rest/settings for version detection. - Form endpoint at <base_url>/<form_path> for the LFI primitive. - File paths: /proc/self/environ, $HOME/.n8n/config, $HOME/.n8n/database.sqlite. - Auth cookie name: n8n-auth. - Node.js execution primitive: child_process.execSync via injected expression.

Repository contains documentation-heavy reconstruction of a claimed full-chain exploit for CVE-2026-21858 ("Ni8mare") targeting n8n (versions >=1.65.0 and <1.121.0). There are 5 files, mostly Markdown: ATTACKVECTOR.md (kill chain and attack surface), README.md (root-cause explanation, lab setup, and a single-file Python exploit), plus DISCLAIMER.md, SECURITY.md, and AUTHOR_RESEARCHER.md. Core exploit capability (as described and partially implemented in README.md): 1) Unauthenticated arbitrary file read via Content-Type confusion against an n8n Form Webhook endpoint. The exploit sends Content-Type: application/json with a JSON array containing objects shaped like uploaded files (filepath/mimetype/filename). This is intended to override req.body.files and trick server-side logic (prepareFormReturnItem/copyBinaryFile) into copying arbitrary local files into an accessible n8n storage location. 2) Session forgery/authentication bypass by stealing N8N_ENCRYPTION_KEY from /home/node/.n8n/config and generating a JWT (HS256) placed in the 'n8n-auth' cookie. The script computes a short hash as sha256(email+password)[:10] and uses userId=1. 3) Post-auth RCE by calling the n8n REST API endpoint /rest/workflows to create/activate a workflow containing an Execute Command node that runs a bash reverse shell to an attacker-controlled host/port. Notable limitations/observations: the included Python class shows the chain logic but does not implement the actual retrieval of the copied file contents (read_file only checks HTTP 200) nor automated extraction of N8N_ENCRYPTION_KEY from the exfiltrated artifact; those steps are described conceptually. Overall, it is an operational PoC-style chain with a hardcoded/basic payload (reverse shell) and clear network targets/endpoints (webhook test endpoint and /rest/workflows).

This repository provides a full-chain exploit for n8n, targeting CVE-2026-21858 (Arbitrary File Read) and CVE-2025-68613 (Expression Injection RCE). The exploit is implemented in Python (exploit.py) and automates the attack chain: it first abuses a file upload endpoint to read arbitrary files (including sensitive n8n config and database files), then forges an admin JWT token, and finally creates a malicious workflow to achieve remote code execution via a sandbox bypass. The repository includes a Dockerfile and docker-compose.yml for setting up a vulnerable n8n instance, and an init/setup.sh script to automate the creation of a vulnerable workflow. The exploit requires the target n8n instance to have a specific workflow configuration (form with file upload and Respond node). The main attack vector is network-based, exploiting HTTP endpoints exposed by n8n. Key fingerprintable endpoints include the n8n web interface (http://localhost:5678/), the REST API (/rest/settings), and the vulnerable form endpoint (/form/vulnerable-form). The exploit demonstrates a critical unauthenticated RCE chain and is a proof-of-concept, not a universal exploit.