Alerts

CRITICAL: Patch n8n Now — Unauthenticated RCE Affects 100K Servers

Zero Day Wire

11 Jan 2026 — 1 min read

Patch immediately. CVSS 10.0.

A maximum-severity flaw in n8n allows unauthenticated attackers to fully compromise servers and access all connected systems including API keys, databases, and cloud services.

Vulnerability Summary


CVE	CVE-2026-21858
Severity	10.0 CRITICAL
Affected	n8n versions < 1.121.0
Exploited	PoC available
Patch	Upgrade to 1.121.0+

What's at Risk

Attackers can chain this vulnerability to:

Read arbitrary server files without credentials
Extract database and config files
Forge admin session cookies
Execute commands on the underlying system

With n8n's access to connected services (Google Drive, Salesforce, CI/CD pipelines, payment processors), a single compromise can cascade across your entire infrastructure.

Immediate Actions

Upgrade to n8n version 1.121.0 or later
Disable publicly accessible webhook/form endpoints until patched
Audit existing workflows for exposed Form nodes
Review logs for suspicious webhook activity

Who's Affected

Approximately 100,000 self-hosted n8n instances globally. Cloud-managed deployments are less impacted.

Tags: Critical, CVE-2026-21858, n8n, RCE, Patch Now

PayPal Confirms Six-Month Data Exposure After Loan System Code Error Leaked Social Security Numbers

PayPal has confirmed a data exposure incident affecting its Working Capital (PPWC) business loan service, where a software code change left sensitive customer information accessible for nearly six months before being detected. The exposure ran from 1 July 2025 to 12 December 2025, when the error was finally discovered and

AWS Reports 600+ FortiGate Firewalls Compromised in AI-Augmented Campaign by Russian-Speaking Cybercrime Group

A financially motivated Russian-speaking cybercrime group compromised more than 600 internet-exposed FortiGate firewalls across 55 countries in just over a month, using off-the-shelf generative AI tools to scale an operation that would traditionally require a well-resourced team, according to a new incident report from AWS. The campaign, which ran from

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

Elastic Security Labs has disclosed a new ClickFix campaign that leverages compromised legitimate websites as delivery infrastructure to deploy a previously undocumented remote access trojan dubbed MIMICRAT (also tracked as AstarionRAT). The campaign, discovered earlier this month, demonstrates significant operational sophistication — from multi-stage PowerShell chains that bypass Windows security controls

ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

A new wave of attacks is combining voice phishing (vishing) with OAuth 2.0 device authorization abuse to compromise Microsoft Entra accounts at technology, manufacturing, and financial organizations — bypassing traditional phishing infrastructure entirely. Sources told BleepingComputer they believe the ShinyHunters extortion gang is behind the campaigns, which the threat actors

Read more

PayPal Confirms Six-Month Data Exposure After Loan System Code Error Leaked Social Security Numbers

AWS Reports 600+ FortiGate Firewalls Compromised in AI-Augmented Campaign by Russian-Speaking Cybercrime Group

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse