@blamejs/exceptd-skills 0.13.122 → 0.13.123

package/data/atlas-ttps.json

@@ -1790,7 +1790,9 @@
       "CVE-2026-34159",
       "CVE-2026-41947",
       "CVE-2026-41950",
-      "CVE-2026-45829"
+      "CVE-2026-45829",
+      "CVE-2026-21858",
+      "CVE-2025-68668"
     ]
   },
   "AML.T0050": {

package/data/attack-techniques.json

@@ -345,7 +345,9 @@
       "CVE-2025-68665",
       "CVE-2025-51480",
       "CVE-2025-10164",
-      "CVE-2026-5760"
+      "CVE-2026-5760",
+      "CVE-2025-68668",
+      "CVE-2026-21858"
     ],
     "description_full": "Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). There are also cross-platform interpreters such as [Python](https://attack.mitre.org/techniques/T1059/006), as well as those commonly associated with client applications such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) and [Visual Basic](https://attack.mitre.org/techniques/T1059/005). Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0001) payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various [Remote Services](https://attack.mitre.org/techniques/T1021) in order to achieve remote Execution.(Citation: Powershell Remote Commands)(Citation: Cisco IOS Software Integrity Assurance - Command History)(Citation: Remote Shell Execution in Python)",
     "platforms": [
@@ -561,7 +563,8 @@
       "CVE-2026-6973",
       "MAL-2026-NODE-IPC-STEALER",
       "MAL-2026-SHAI-HULUD-OSS",
-      "CVE-2025-69286"
+      "CVE-2025-69286",
+      "CVE-2026-21858"
     ],
     "description_full": "Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence. In some cases, adversaries may abuse inactive accounts: for example, those belonging to individuals who are no longer part of an organization. Using these accounts may allow the adversary to evade detection, as the original account user will not be present to identify any anomalous activity taking place on their account.(Citation: CISA MFA PrintNightmare) The overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise.(Citation: TechNet Credential Theft)",
     "platforms": [
@@ -1107,7 +1110,9 @@
       "CVE-2025-69286",
       "CVE-2026-22218",
       "CVE-2026-22219",
-      "CVE-2026-5760"
+      "CVE-2026-5760",
+      "CVE-2026-21858",
+      "CVE-2025-68668"
     ],
     "description_full": "Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration. Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet-accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) On ESXi infrastructure, adversaries may exploit exposed OpenSLP services; they may alternatively exploit exposed VMware vCenter servers.(Citation: Recorded Future ESXiArgs Ransomware 2023)(Citation: Ars Technica VMWare Code Execution Vulnerability 2021) Depending on the flaw being exploited, this may also involve [Exploitation for Stealth](https://attack.mitre.org/techniques/T1211) or [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203). If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs (e.g., via the [Cloud Instance Metadata API](https://attack.mitre.org/techniques/T1552/005)), exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies. Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar) For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)",
     "platforms": [
@@ -1334,7 +1339,8 @@
     "cve_refs": [
       "CVE-2026-41950",
       "CVE-2024-12450",
-      "CVE-2026-22218"
+      "CVE-2026-22218",
+      "CVE-2026-21858"
     ]
   },
   "T1485": {

package/data/cve-catalog.json

@@ -39967,5 +39967,212 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "SGLang /v1/rerank renders a model-supplied jinja2 chat_template in a non-sandboxed Environment, so a malicious model achieves RCE (CWE-94); fix renders with ImmutableSandboxedEnvironment."
+  },
+  "CVE-2026-21858": {
+    "name": "n8n Form-Based Unauthenticated Arbitrary File Access",
+    "type": "Arbitrary File Access",
+    "cvss_score": 10,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
+    "cvss_note": "GitHub (CNA) CVSS v3.1 base 10.0 (CRITICAL, scope-changed). n8n versions 1.65.0 through < 1.121.0 allow an unauthenticated attacker to access files on the underlying server through the execution of certain form-based actions, with no input validation confining the accessed path (CWE-20 improper input validation). The public exploit chains beyond file read: on a locally deployed instance with a readable DB/config it reads the credentials, forges an admin session, then creates a workflow using the Execute Command node to run host commands - i.e. unauthenticated file read escalating to remote code execution.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing GitHub Security Advisory: unauthenticated form-based requests reach a file-access path on the n8n server.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via GitHub Security Advisory and enriched by NVD. The abused surface is n8n, a widely deployed workflow-automation / AI-workflow platform (>100k internet-reachable instances reported).",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is missing input validation on a form-based action that reaches a server file-access path.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation, and the CVE is not in CISA KEV (verified against the live catalog). FIRST EPSS percentile is elevated (91st).",
+    "affected": "n8n 1.65.0 through versions before 1.121.0.",
+    "affected_versions": [
+      "n8n >= 1.65.0, < 1.121.0"
+    ],
+    "vector": "n8n exposes form-based actions that reach a file-access path on the underlying server without authentication or path confinement, so an unauthenticated attacker accesses arbitrary server files (CWE-20 improper input validation); the scope-changed CVSS reflects reaching resources beyond the application boundary. Where the local database/config is readable, the public exploit chains this into full host RCE: read the DB/config, forge an authenticated admin session, then create a workflow whose Execute Command node runs arbitrary host commands.",
+    "complexity": "low",
+    "complexity_notes": "GitHub v3.1 AV:N / AC:L / PR:N / UI:N - unauthenticated form-based request.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading to n8n 1.121.0 or later; redeploy the instance and ensure it is not exposed unauthenticated to untrusted networks.",
+    "vendor_update_paths": [
+      "Upgrade n8n to 1.121.0 or later. Authenticate form-based actions, validate and confine any file path they reach, and do not expose the n8n instance to untrusted networks."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-10": "No input validation confines the file path reached by the form-based action (CWE-20).",
+      "NIST-800-53-AC-3": "Access enforcement does not require authentication on a path that reaches server files.",
+      "ISO-27001-2022-A.8.28": "Secure coding does not require validation/confinement of file paths reached by form actions.",
+      "NIS2-Art21-network-security": "Article 21 measures do not model a workflow-automation platform's form actions as an unauthenticated file-access surface.",
+      "DORA-Art-9": "ICT protection measures do not model unauthenticated file access in an AI-workflow platform as an ICT-risk event.",
+      "UK-CAF-B4": "System security objective has no objective for authentication + path confinement on workflow-platform form actions.",
+      "AU-ISM-1546": "Patch-application control does not single out AI-workflow / automation platforms.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats a workflow-automation platform's form-action file path as an integrity boundary requiring auth + confinement."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1213",
+      "T1078",
+      "T1059"
+    ],
+    "rwep_score": 31,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 26,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "High (RWEP 31, \"patch promptly\" band per lib/scoring.js). Not KEV (verified), no confirmed in-the-wild exploitation, patched at 1.121.0 (Hard Rule #3): poc_available=20 + blast_radius=26 (unauthenticated CVSS-10.0 arbitrary file read that the public exploit chains into admin-session forgery + Execute Command host RCE on locally deployed instances; >100k internet-reachable instances; elevated EPSS), minus patch_available 15.",
+    "epss_score": 0.06939,
+    "epss_date": "2026-05-26",
+    "epss_note": "FIRST EPSS 0.06939 (91st percentile) as of 2026-05-26.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-21858",
+    "cwe_refs": [
+      "CWE-20"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Unauthenticated n8n form-based requests that reference server file paths (../ traversal or absolute paths).",
+        "n8n returning contents of server files (config, .env, credentials) to unauthenticated callers.",
+        "n8n 1.65.0-1.120.x reachable unauthenticated on the network - the exposed precondition.",
+        "n8n workflows created shortly after an unauthenticated file-read that use the Execute Command node to run host commands.",
+        "Admin/authenticated sessions appearing without a corresponding login, consistent with a forged session derived from a leaked DB/config."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the n8n GitHub Security Advisory and NVD CVE-2026-21858 (CWE-20)."
+    },
+    "source_verified": "2026-05-26",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-21858"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2026-21858",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21858",
+        "severity": "critical",
+        "published_date": "2026-01-08"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-21858",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21858",
+        "severity": "critical",
+        "published_date": "2026-01-08"
+      }
+    ],
+    "last_updated": "2026-05-26",
+    "discovery_attribution_note": "Manually curated from NVD CVE-2026-21858 (CWE-20) + the n8n GitHub Security Advisory (CNA, CVSS v3.1 10.0). n8n workflow-automation unauthenticated file access via form actions; reuses the AI-runtime-API path-traversal validation control NEW-CTRL-094.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "n8n 1.65.0-1.120.x lets an unauthenticated attacker access server files via form-based actions without path confinement (CWE-20); fixed in 1.121.0."
+  },
+  "CVE-2025-68668": {
+    "name": "n8n Python Code Node Pyodide Sandbox Bypass RCE",
+    "type": "Sandbox Escape",
+    "cvss_score": 9.9,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
+    "cvss_note": "GitHub (CNA) / NVD CVSS v3.1 base 9.9 (CRITICAL, scope-changed). n8n's Python Code Node runs user code in a Pyodide sandbox, but an authenticated user with permission to edit workflows bypasses the sandbox and executes code with host privileges (CWE-693 protection mechanism failure).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing GitHub Security Advisory: a crafted Python Code Node escapes the Pyodide sandbox to the host.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via GitHub Security Advisory and enriched by NVD. The abused surface is n8n's Python Code Node (Pyodide), in a widely deployed AI-workflow / automation platform.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is a sandbox-bypass (protection-mechanism failure) in a visual workflow builder's code-execution node.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation, and the CVE is not in CISA KEV (verified against the live catalog).",
+    "affected": "n8n 1.0.0 up to before 2.0.0 (Python Code Node / Pyodide).",
+    "affected_versions": [
+      "n8n >= 1.0.0, < 2.0.0"
+    ],
+    "vector": "n8n's Python Code Node executes user-supplied code inside a Pyodide sandbox, but the sandbox is bypassable, so an authenticated user with workflow-edit permission escapes it and runs code with the privileges of the n8n process (CWE-693 protection mechanism failure) - a code-node sandbox escape.",
+    "complexity": "low",
+    "complexity_notes": "GitHub v3.1 AV:N / AC:L / PR:L - an authenticated user who can edit a workflow.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading to n8n 2.0.0 or later; redeploy the instance.",
+    "vendor_update_paths": [
+      "Upgrade n8n to 2.0.0 or later. Treat the code node as a code-execution sink: run it in a hardened sandbox with no host filesystem/network/process access, restrict who can edit workflows, and never expose the editor to untrusted users."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-AC-3": "Access enforcement does not contain the code node to its sandbox - an editor escapes to host privileges.",
+      "NIST-800-53-SI-3": "Malicious-code protection does not stop a sandbox-bypass in the workflow builder's code node.",
+      "NIST-800-53-SC-39": "Process isolation does not confine the Pyodide-sandboxed code node from the host process.",
+      "ISO-27001-2022-A.8.28": "Secure coding does not guarantee the code-node sandbox is non-bypassable.",
+      "NIS2-Art21-network-security": "Article 21 measures do not model a workflow builder's code node as a sandbox-escape RCE surface.",
+      "DORA-Art-9": "ICT protection measures do not model code-node sandbox escape in an AI-workflow platform as an ICT-risk event.",
+      "UK-CAF-B4": "System security objective has no objective for non-bypassable code-node sandboxing in workflow platforms.",
+      "AU-ISM-1546": "Patch-application control does not single out AI-workflow / automation platforms.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats a visual workflow builder's code node as a code-execution sink requiring a non-bypassable sandbox."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1059"
+    ],
+    "rwep_score": 27,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 22,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Moderate-high (RWEP 27, \"patch within 30 days\" band per lib/scoring.js). Not KEV (verified), no confirmed in-the-wild exploitation, patched at 2.0.0 (Hard Rule #3): poc_available=20 + blast_radius=22 (authenticated code-node sandbox escape to host RCE in a widely deployed workflow builder), minus patch_available 15.",
+    "epss_score": 0.00035,
+    "epss_date": "2026-05-26",
+    "epss_note": "FIRST EPSS 0.00035 (10th percentile) as of 2026-05-26.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-68668",
+    "cwe_refs": [
+      "CWE-693"
+    ],
+    "iocs": {
+      "behavioral": [
+        "n8n Python Code Node workflows containing Pyodide escape patterns (reaching the host filesystem / process from inside the sandbox).",
+        "Process execution / host access by the n8n process originating from a Python Code Node run.",
+        "n8n 1.x (< 2.0.0) with the Python Code Node enabled for users who can edit workflows - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the n8n GitHub Security Advisory and NVD CVE-2025-68668 (CWE-693)."
+    },
+    "source_verified": "2026-05-26",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-68668"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2025-68668",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68668",
+        "severity": "critical",
+        "published_date": "2025-12-19"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-68668",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68668",
+        "severity": "critical",
+        "published_date": "2025-12-19"
+      }
+    ],
+    "last_updated": "2026-05-26",
+    "discovery_attribution_note": "Manually curated from NVD CVE-2025-68668 (CWE-693) + the n8n GitHub Security Advisory (CNA, CVSS v3.1 9.9). n8n Python Code Node Pyodide sandbox bypass; reuses the AI-app-builder execution-endpoint auth-and-sandbox control NEW-CTRL-103 (shared with the Dify code-node escape and Langflow/Flowise RCEs).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "n8n's Python Code Node Pyodide sandbox is bypassable, so an authenticated workflow editor runs code with host privileges (CWE-693); fixed in 2.0.0."
   }
 }

package/data/cwe-catalog.json

@@ -56,7 +56,8 @@
       "CVE-2026-32201",
       "CVE-2026-34197",
       "CVE-2026-6973",
-      "CVE-2025-10164"
+      "CVE-2025-10164",
+      "CVE-2026-21858"
     ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-SI-10",
@@ -2197,7 +2198,8 @@
       "CVE-2025-3466",
       "CVE-2025-40536",
       "CVE-2026-21510",
-      "CVE-2026-21513"
+      "CVE-2026-21513",
+      "CVE-2025-68668"
     ],
     "last_verified": "2026-05-18",
     "notes": "Added v0.13.17 to back the UnDefend Defender update-disruption entry. CWE-693 is the canonical parent for failures-of-protection-mechanism — Defender continues running but its update mechanism has been corrupted, so the AV protection-mechanism fails silently while the host still passes 'is Defender running?' health checks."

package/data/framework-control-gaps.json

@@ -123,7 +123,9 @@
       "CVE-2026-22219",
       "CVE-2025-51480",
       "CVE-2025-10164",
-      "CVE-2026-5760"
+      "CVE-2026-5760",
+      "CVE-2026-21858",
+      "CVE-2025-68668"
     ],
     "atlas_refs": [
       "AML.T0018",
@@ -1321,7 +1323,9 @@
       "CVE-2026-22218",
       "CVE-2025-51480",
       "CVE-2025-10164",
-      "CVE-2026-5760"
+      "CVE-2026-5760",
+      "CVE-2026-21858",
+      "CVE-2025-68668"
     ],
     "atlas_refs": [
       "AML.T0051",
@@ -2270,7 +2274,8 @@
     "evidence_cves": [
       "CVE-2024-21626",
       "CVE-2025-22224",
-      "CVE-2025-22225"
+      "CVE-2025-22225",
+      "CVE-2025-68668"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -2443,7 +2448,8 @@
       "CVE-2026-22219",
       "CVE-2025-51480",
       "CVE-2025-10164",
-      "CVE-2026-5760"
+      "CVE-2026-5760",
+      "CVE-2026-21858"
     ],
     "atlas_refs": [
       "AML.T0053"
@@ -2896,7 +2902,8 @@
       "CVE-2026-22778",
       "CVE-2026-32202",
       "CVE-2026-33017",
-      "CVE-2026-33825"
+      "CVE-2026-33825",
+      "CVE-2025-68668"
     ],
     "atlas_refs": [
       "AML.T0017"
@@ -5234,7 +5241,9 @@
       "CVE-2026-22219",
       "CVE-2025-51480",
       "CVE-2025-10164",
-      "CVE-2026-5760"
+      "CVE-2026-5760",
+      "CVE-2026-21858",
+      "CVE-2025-68668"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -5286,7 +5295,9 @@
       "CVE-2026-7482",
       "CVE-2025-69286",
       "CVE-2026-22218",
-      "CVE-2026-22219"
+      "CVE-2026-22219",
+      "CVE-2026-21858",
+      "CVE-2025-68668"
     ],
     "atlas_refs": [
       "AML.T0051"
@@ -5832,7 +5843,9 @@
       "CVE-2026-22219",
       "CVE-2025-51480",
       "CVE-2025-10164",
-      "CVE-2026-5760"
+      "CVE-2026-5760",
+      "CVE-2026-21858",
+      "CVE-2025-68668"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -5962,7 +5975,9 @@
       "CVE-2026-22219",
       "CVE-2025-51480",
       "CVE-2025-10164",
-      "CVE-2026-5760"
+      "CVE-2026-5760",
+      "CVE-2026-21858",
+      "CVE-2025-68668"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -6390,7 +6405,9 @@
       "CVE-2026-22219",
       "CVE-2025-51480",
       "CVE-2025-10164",
-      "CVE-2026-5760"
+      "CVE-2026-5760",
+      "CVE-2026-21858",
+      "CVE-2025-68668"
     ],
     "atlas_refs": [],
     "attack_refs": [

package/data/zeroday-lessons.json

@@ -17446,5 +17446,105 @@
     ],
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2026-21858": {
+    "name": "n8n Form-Based Unauthenticated Arbitrary File Access",
+    "lesson_date": "2026-05-26",
+    "attack_vector": {
+      "description": "n8n exposes form-based actions that reach a server file-access path without authentication or path confinement, so an unauthenticated attacker reads arbitrary server files.",
+      "privileges_required": "none (unauthenticated)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is n8n, an AI-workflow / automation platform. The lesson: every form/automation action that can reach the filesystem must be authenticated and its path confined - workflow platforms are high-value because their workflows hold credentials."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "No input validation confines the file path reached by the form-based action."
+      },
+      "NIST-800-53-AC-3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Access enforcement does not require authentication on a path that reaches server files."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats a workflow platform's form-action file path as an integrity boundary requiring auth + confinement."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 79,
+      "basis": "Workflow-automation platforms expose form/automation actions on trusted-network assumptions; path confinement + auth on file-reaching actions are rarely audited.",
+      "theater_pattern": "ai_workflow_unauth_file_access"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-094",
+        "name": "AI-RUNTIME-API-PATH-TRAVERSAL-VALIDATION",
+        "description": "An AI application or workflow platform's file/path-bearing inputs (upload filenames, model-embedded paths, element/document paths, form-action paths, API route parameters) must be authenticated, canonicalized, and confined to an allowlisted base directory before any filesystem access - including non-ASCII / encoding transforms. The distinguishing test: send an unauthenticated request whose path decodes to ../ traversal or an absolute path on a staging instance and confirm it is refused, not read or written outside the intended directory.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2026-21858",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2025-68668": {
+    "name": "n8n Python Code Node Pyodide Sandbox Bypass RCE",
+    "lesson_date": "2026-05-26",
+    "attack_vector": {
+      "description": "n8n's Python Code Node runs user code in a Pyodide sandbox that is bypassable, so an authenticated workflow editor escapes it and executes code with host privileges.",
+      "privileges_required": "low (authenticated user who can edit workflows)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is n8n's code node, in an AI-workflow / automation builder. The lesson: a visual builder's code node is a code-execution sink - it must run in a non-bypassable, host-isolated sandbox, and workflow-edit permission must be tightly scoped."
+    },
+    "framework_coverage": {
+      "NIST-800-53-AC-3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Access enforcement does not contain the code node to its sandbox."
+      },
+      "NIST-800-53-SI-3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Malicious-code protection does not stop a sandbox bypass in the code node."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats a workflow builder's code node as a code-execution sink requiring a non-bypassable sandbox."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 81,
+      "basis": "Visual workflow builders ship code nodes with in-process sandboxes (Pyodide/vm) that are bypassable; sandbox non-bypassability is rarely audited.",
+      "theater_pattern": "ai_app_builder_code_node_sandbox_escape"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-103",
+        "name": "AI-APP-BUILDER-EXECUTION-ENDPOINT-AUTH-AND-SANDBOX",
+        "description": "A visual LLM app/agent/workflow builder (Langflow, Flowise, Dify, n8n, and similar) must authenticate every endpoint that can reach a code-execution path and must never run flow/workflow-supplied code through a dynamic-evaluation path with host privileges. Sandbox any code the platform executes on a user's behalf in a non-bypassable, host-isolated environment (no filesystem/network/process access beyond intent), and scope workflow-edit permission tightly. The distinguishing test: run a code node that attempts a host action (shell/network/filesystem) on a staging instance and confirm the sandbox refuses it - an in-process sandbox (Pyodide/vm) that is bypassable still permits RCE.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2025-68668",
+        "gap_closes": [
+          "NIST-800-53-AC-3",
+          "NIST-800-53-SI-3",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
   }
 }