Myles Nieman
← All writeups

BloodFlow

Overview

BloodFlow is a very easy Linux box centered on a recently disclosed critical vulnerability in the n8n workflow automation platform. The host exposes n8n on port 5678 (filtered at first glance, but reachable via HTTP on port 80 through a proxy or redirect). CVE-2026-21858 is an unauthenticated chain that starts with arbitrary file read and escalates to remote code execution — CVSS 10.0.

Path: n8n on port 5678 → CVE-2026-21858 file read → RCE → shell.

Enumeration

A full TCP scan surfaces three ports: SSH, an HTTP server, and a filtered port at 5678 which corresponds to n8n’s default transport.

$ nmap -p- -T4 10.129.234.54
PORT     STATE    SERVICE
22/tcp   open     ssh
80/tcp   open     http
5678/tcp filtered rrac

Nmap output showing SSH, HTTP, and the filtered n8n port

Browsing to port 80 reveals the web interface.

n8n web interface accessible via port 80

The application is an n8n instance. Checking the version confirms it falls in the range affected by CVE-2026-21858.

n8n landing page confirming the instance and version

n8n version details

Foothold — CVE-2026-21858

CVE-2026-21858 (n8n Ni8mare) is an unauthenticated exploit chain in n8n that abuses the workflow execution engine to first leak arbitrary files from the server, then escalate to full remote code execution. The public PoC from Chocapikk/CVE-2026-21858 handles the complete chain.

CVE-2026-21858 exploit running against the target

The exploit achieves code execution on the server:

Exploit output showing successful RCE

Shell or flag output from the exploit

Root or user flag retrieved

Takeaways

  • CVE-2026-21858 makes any internet-exposed n8n instance a trivial unauthenticated RCE target — n8n should never be exposed publicly without authentication in front of it.
  • Workflow automation platforms frequently run with broad OS-level permissions; RCE in this context often yields an immediately usable shell without further escalation.