انهيار "Ni8mare": تشريح CVE-2026-21858 و CVE-2025-68613 في تنسيق الذكاء الاصطناعي

The era of “Model Security” is evolving into “Infrastructure Security.” While the industry spent 2025 worrying about Prompt Injection, the real devastation has arrived in the orchestration layer.

January 2026 has opened with a catastrophic disclosure for the AI engineering community: CVE-2026-21858, a CVSS 10.0 unauthenticated Remote Code Execution (RCE) vulnerability in ن8 ن. This comes less than a month after the disclosure of CVE-2025-68613, a critical authenticated RCE in the same platform.

For security engineers and Red Teamers, n8n is not just a “tool”; it is the backbone of thousands of autonomous AI agents, connecting LLMs (OpenAI, Anthropic) to internal databases and APIs. Compromising n8n means compromising the entire AI supply chain.

This article deconstructs the exploit chains for both vulnerabilities, analyzes the root causes, and provides actionable remediation paths.

The “Ni8mare”: Deconstructing CVE-2026-21858 (Unauthenticated RCE)

Severity: Critical (CVSS 10.0)

Vector: Network / Unauthenticated

Impact: Full Server Takeover

Dubbed “Ni8mare” by researchers at Cyera, CVE-2026-21858 represents the worst-case scenario for AI infrastructure: a zero-click, unauthenticated takeover.

The Root Cause: Content-Type Confusion

The vulnerability resides in n8n’s webhook handling logic and how it processes incoming HTTP requests. n8n uses a middleware to parse incoming data based on the نوع المحتوى الرأس.

In vulnerable versions (prior to 1.121.0), the application failed to strictly enforce the relationship between the declared نوع المحتوى and the actual parsing logic used for internal state management.

An attacker can send a specially crafted HTTP request that:

1. Declares a benign نوع المحتوى (e.g., application/json) to bypass initial firewall (WAF) checks.
2. Manipulates the body structure to trick the internal parser into overriding the req.body الكائن.
3. Injects malicious configuration parameters that the application blindly trusts.

The Exploit Path

The critical flaw allows an attacker to “confuse” the server into accepting a file upload path that overwrites internal configuration files, such as التكوين أو database.sqlite.

Once the configuration is overwritten, the attacker can:

1. Reset Authentication: Overwrite the admin user credentials.
2. Extract Secrets: Read the .env or config files containing API keys for third-party services (AWS, OpenAI, Stripe).
3. Execute Code: Use the now-accessible “Execute Command” node to spawn a reverse shell.

جافا سكريبت

`// Pseudo-code illustrating the logic flaw // VULNERABLE LOGIC: Trusting user input for file handling without strict type checks

app.post(‘/webhook/:id’, (req, res) => { // The parser assumes if ‘files’ exists in body, it was a valid upload // But a crafted JSON body can simulate this structure if (req.body.files && req.body.files.config_override) { // CRITICAL: Overwriting internal state based on unauthenticated input internalState.updateConfig(req.body.files.config_override.path); } executeWorkflow(req.params.id); });`

Because n8n often runs with high privileges to execute system tasks, this RCE effectively grants root-level access to the host container.

The Precursor: CVE-2025-68613 (Authenticated RCE)

Severity: Critical (CVSS 9.9)

Vector: Network / Authenticated (Low Privilege)

Before the unauthenticated “Ni8mare,” there was CVE-2025-68613. While less severe due to the authentication requirement, it highlighted the fragility of Expression Evaluation in AI workflows.

The Root Cause: Expression Injection

n8n allows users to write JavaScript expressions to transform data between nodes. The vulnerability (affecting versions prior to 1.122.0) allowed an attacker with “Member” or low-level access to break out of the expression sandbox.

By crafting a malicious workflow with a specific JavaScript payload inside an expression field (e.g., inside a مجموعة node), an attacker could access the Node.js العملية الكائن.

Attack Scenario

1. Access: Attacker gains access to a low-privileged account (e.g., via a leaked invite link or weak password).
2. الحمولة: Create a workflow utilizing the الوظيفة أو Code node.
3. Escape: الاستخدام return global.process.mainModule.require('child_process').execSync('id'); to bypass restrictions.
4. التنفيذ: The moment the workflow is “Tested” or “Activated,” the code executes on the server.

Technical Comparison: The 2026 vs. 2025 Threat Landscape

Why This Matters for AI Security

These vulnerabilities are not just “server bugs”; they are AI Supply Chain breaches.

1. RAG Poisoning: An attacker controlling n8n can intercept documents flowing into your Vector Database, injecting backdoors or false data into your corporate knowledge base.
2. Agent Hijacking: Autonomous agents built on n8n can be reprogrammed to exfiltrate data or launch attacks on other internal systems.
3. Credential Theft: n8n acts as a “Key Vault” for LLM providers. A single RCE exposes your OPENAI_API_KEY, أنثروبيك_بابي_مفتاح, and database credentials.

Mitigation and Remediation

Immediate Action Required:

1. التصحيح فوراً: ترقية n8n إلى الإصدار 1.122.0 or higher immediately. This patches both CVEs.
2. عزل الشبكة: Never expose the n8n dashboard interface (port 5678) directly to the public internet. Use a VPN or reverse proxy with strict authentication (e.g., Cloudflare Access, Authelia).
3. Sanitize Webhooks: If you must expose webhooks, ensure they are behind an API Gateway that validates the request schema before it reaches the n8n instance.

Automated Validation: The Agentic Approach

In the fast-moving world of 2026, relying on manual patch management or annual pentests is insufficient. Vulnerabilities like CVE-2026-21858 appear overnight and are weaponized within hours.

هذا هو المكان بنليجنت changes the paradigm. As an AI-powered automated penetration testing platform, Penligent doesn’t just scan for known signatures; it behaves like an attacker.

When pointed at your infrastructure, Penligent’s agentic core can:

• Autonomously Discovery: Identify exposed n8n instances and webhook endpoints that human auditors might miss.
• الاستغلال الآمن: Validate CVE-2026-21858 by attempting the Content-Type manipulation logic بدون destructively overwriting configs, proving the risk with zero downtime.
• Continuous Monitoring: Unlike static scanners, Penligent provides “Human-in-the-loop” validated intelligence, ensuring your AI orchestration layer remains resilient against the next wave of zero-days.

Final Thought: The security of your AI Agents depends entirely on the security of the tools that build them. Don’t let your orchestration layer be the weakest link.

المراجع:

• NIST NVD – CVE-2026-21858 Detail
• Orca Security Research on “Ni8mare”
• Cyera Research Labs Advisory
• أفضل 10 تطبيقات OWASP لتطبيقات OWASP LLM