Overview
- CVE-2026-21858 carries a CVSS 10.0 rating and was patched in November 2025 in the 1.121.x releases, with vendors urging upgrades to 1.121.0/1.121.1 or later.
- Researchers published a working proof of concept and report increased probing of exposed instances, though no in-the-wild exploitation has been confirmed.
- The flaw stems from webhook file-handling that fails to verify multipart/form-data, allowing attackers to control req.body.files and perform arbitrary file reads.
- Attackers can extract the SQLite database and config secret to forge an admin session cookie, then create a workflow that executes commands for full RCE.
- Roughly 100,000 servers may be exposed; there is no official workaround beyond patching, with guidance to restrict or disable public webhooks and forms, and a separate CVSS 10 bug (CVE-2026-21877) was also disclosed and fixed.