BloodFlow
Overview
BloodFlow is a very easy Linux box centered on a recently disclosed critical vulnerability in the n8n workflow automation platform. The host exposes n8n on port 5678 (filtered at first glance, but reachable via HTTP on port 80 through a proxy or redirect). CVE-2026-21858 is an unauthenticated chain that starts with arbitrary file read and escalates to remote code execution — CVSS 10.0.
Path: n8n on port 5678 → CVE-2026-21858 file read → RCE → shell.
Enumeration
A full TCP scan surfaces three ports: SSH, an HTTP server, and a filtered port at 5678 which corresponds to n8n’s default transport.
$ nmap -p- -T4 10.129.234.54
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
5678/tcp filtered rrac

Browsing to port 80 reveals the web interface.

The application is an n8n instance. Checking the version confirms it falls in the range affected by CVE-2026-21858.


Foothold — CVE-2026-21858
CVE-2026-21858 (n8n Ni8mare) is an unauthenticated exploit chain in n8n that abuses the workflow execution engine to first leak arbitrary files from the server, then escalate to full remote code execution. The public PoC from Chocapikk/CVE-2026-21858 handles the complete chain.

The exploit achieves code execution on the server:



Takeaways
- CVE-2026-21858 makes any internet-exposed n8n instance a trivial unauthenticated RCE target — n8n should never be exposed publicly without authentication in front of it.
- Workflow automation platforms frequently run with broad OS-level permissions; RCE in this context often yields an immediately usable shell without further escalation.