n8n Node.js Package 1.65.0 < 1.121.0 Improper Access Control (Ni8Mare)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(282598);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/02/17");

  script_cve_id("CVE-2026-21858");

  script_name(english:"n8n Node.js Package 1.65.0 < 1.121.0 Improper Access Control (Ni8Mare)");

  script_set_attribute(attribute:"synopsis", value:
"The n8n Node.js Package installed on the remote host is affected by an improper access control vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of the n8n Node.js Package installed on the remote host is prior to 1.121.0. It is,
therefore, affected by an improper access control vulnerability:

  - A vulnerability in n8n allows an attacker to access files on the underlying server 
    through execution of certain form-based workflows. A vulnerable workflow could grant 
    access to an unauthenticated remote attacker. This could result in exposure of sensitive 
    information stored on the system and may enable further compromise depending on deployment 
    configuration and workflow usage.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  # https://github.com/advisories/GHSA-v4pr-fm98-w9pg
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d4b29aa0");
  # https://github.com/n8n-io/n8n/security/advisories/GHSA-v4pr-fm98-w9pg
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?43482ff1");
  script_set_attribute(attribute:"solution", value:
"Upgrade to n8n Node.js Package version 1.121.0 or later.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-21858");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(20);

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/01/07");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/11/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/01/12");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"asset_categories", value:"component");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:nodejs:node.js");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("nodejs_modules_win_installed.nbin", "nodejs_modules_linux_installed.nbin", "nodejs_modules_mac_installed.nbin");
  script_require_keys("Host/nodejs/modules/enumerated");

  exit(0);
}

include('vcf_extras_nodejs.inc');

get_kb_item_or_exit('Host/nodejs/modules/enumerated');

var app = 'n8n';
var app_info = vcf_extras::nodejs_modules::get_app_info(app:app);

if (empty_or_null(app_info))
  audit(AUDIT_NOT_INST, app);

var constraints = [
  {'max_version':'1.65.0', 'fixed_display' : '1.121.0'}
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);