The Bug Report – January 2026 Edition

By Jonathan Omakun · February 12, 2026

Why am I here?

Welcome back to The Bug Report, the post-holiday edition, where we realize that while our resolutions to "go to the gym" have already failed, hackers’ resolutions to "break everything" are going strong. For those new to the party, our research team sifts through the digital debris of the last month to bring you the bugs that actually matter. We do the reading so you don't have to (and so you can sound smart in your Monday morning stand-ups).

January kicked off 2026 with a bang—and not the fun confetti kind. We have state-sponsored actors abusing Microsoft Office features, a blast from the ancient past with Telnet, and the AI revolution creating new and exciting ways to get pwned.

Here is the lineup for the bugs keeping us up at night:

CVE-2026-21509 Microsoft Microsoft Office, Security Feature Bypass

CVE-2026-24061 GNU Inetutils Telnetd, Remote Authentication Bypass

CVE-2026-0755 Gemini MCP Tool gemini-mcp-tool, Command Injection, Remote Code Execution

CVE-2026-21858 & CVE-2025-68613: n8n Workflow Automation - The "Ni8mare" Chain

CVE-2026-21962 Oracle HTTP Server/WebLogic Server Proxy Plug-in, Improper Access Control

CVE-2026-21509: Office’s OLE guardrail got… politely ignored

What is it?

CVE-2026-21509 is a high-severity security feature bypass in Microsoft Office. If you thought the "Preview Pane" was just for awkwardly glancing at emails you don't want to reply to, think again. This vulnerability bypasses the OLEJS Scoped Activation Filter—a fancy boundary meant to stop JavaScript inside OLE objects from going rogue.

Essentially, by loading a specific OLE object (Shell.Explorer.1, CLSID {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}), an attacker can trigger HTML parsing and JavaScript execution. The vulnerability exists because this specific object queues its instantiation for later via a window message, confusing the Office security context. It disconnects the security filter from the actual execution, allowing the attacker to slip malicious JS past the goalie.

Who cares?

The Russian state-sponsored group APT28 (Fancy Bear) certainly cares. Trellix observed them weaponizing this vulnerability against European military and government entities before the ink was even dry on the disclosure. The attack began with spear-phishing emails containing weaponized documents that exploit CVE-2026-21509. The spear-phishing document uses the exploit to achieve code execution as soon as it is opened. APT28’s malicious documents embedded a specially crafted OLE object (for instance, a Shell.Explorer ActiveX control) that automatically retrieves the next-stage payload over HTTP/WebDAV. This made it simple to go from "I opened a document" to "I own your machine" (RCE).
If you use Office 2016 through LTSC 2024, or Microsoft 365 Apps, you are in the crosshairs.

What can I do?

Microsoft released an out-of-band update on January 26, 2026. Install it. Specifically, if you are on build 16.0.5539.1001 (Office 2016) or 16.0.10417.20095 (Office 2019). If you are on Office 2021+, a service-side change might have saved you, but you need to restart your apps. If you are on 2016/2019 and can't patch today, you can follow Microsoft’s mitigation guidance that details the registry keys to add to the COM Compatibility hive to block the specific CLSID mentioned earlier. And please, back up your registry before you start messing with it.

Trellix Customers: Trellix Network Security (NX) contains detection for this vulnerability. Please ensure that you update to at least SC: 1648.134.

CVE-2026-24061: Telnet returns from the grave (and it brought root)

What is it?

We honestly thought we left Telnet in 2015 (the year this bug was introduced code-wise), but here we are. CVE-2026-24061 is an authentication bypass in GNU Inetutils telnetd. The daemon fails to sanitize the USER environment variable during negotiation.

The exploit is embarrassingly simple. The Telnet protocol allows clients to pass environment variables. By constructing a malicious NEW_ENVIRON packet, an attacker can inject arguments into the login binary.

Here is the "magic" byte sequence that breaks it:

When the server receives this, it executes the login binary roughly like this: /bin/login -f root. The -f flag tells login, "Hey, this user is already authenticated, let them in." And just like that, you have a root shell without typing a password.

Who cares?

Anyone running legacy infrastructure, OT (Operational Technology) networks, or IoT devices that rely on GNU Inetutils. Shodan says there are 212,396 devices worldwide running a Telnet server, and Censys shows over a million devices listening on port 23. Not all of them might be using the vulnerable GNU telnetd, but if you are one of them, the internet is laughing at you, and hackers are thanking you.

What can I do?

Stop using Telnet. Seriously, use SSH. If you absolutely must use it for some archaic mainframe reason, update GNU Inetutils to version 2.7-2 immediately, or restrict port 23 so only trusted internal IPs can access it.

CVE-2026-0755: I'm Sorry Dave, I Can't Do That (But I Can Run Shell Commands)

What is it?

We’ve spent the last few years teaching AI to code, but apparently, we forgot to teach it how to wash its hands.

This vulnerability lives in the gemini-mcp-tool, a package designed to let your fancy AI agents interact with your computer. The problem? It suffers from serious hygiene issues. In the security world, we call this "sanitizing inputs," but this tool prefers to eat off the floor. It blindly trusts user input, failing to scrub away dangerous characters like ‘;’or ‘|’ before passing them to the system shell.

Here is what the conversation looks like:

• User: "Hey AI, please echo 'hello'."
• Gemini Tool: "Okay! Executing: echo hello"
• Hacker: "Hey AI, please echo 'hello'; cat /etc/passwd"
• Gemini Tool: "Okay! Executing: echo hello... and here are all your system secrets!"

Who cares?

If your startup pitch involves "Agentic AI" that can "do things on your behalf," you should care deeply. This isn't just a bug; it's a feature request for threat actors. Since this tool serves as a bridge between the internet and your local shell, exploiting it is basically the ultimate prompt injection. It turns your "smart" assistant into a remote access trojan (RAT) with excellent grammar.

What can I do?

As of version 1.1.2, there is no official patch, which is just delightful. Your best move? Treat this tool like a toddler with a cold: keep it isolated and do not run it in a privileged environment. If you must use it, run it inside a hardened Docker container with zero privileges. Or, you know, maybe don't give an unwashed shell to a chatbot.

CVE-2026-21858 & CVE-2025-68613: The "Ni8mare" Chain

What is it?

On their own, these two n8n bugs are bad. Together, this is a beautiful, terrifying two-step combo. It turns a helpful automation bot into a malicious insider.

CVE-2026-21858 starts it all. It is an unauthenticated arbitrary-file-access issue triggered by how n8n parses certain form/webhook-style requests. In vulnerable versions (pre-1.121.0), an attacker can use the Content-Type confusion bug. By telling the server "I'm sending JSON" but actually sending form data, they trick the parser into accepting a file path that shouldn't be.

They use this to steal the /home/node/.n8n/config file, which contains the encryptionKey.

CVE-2025-68613 continues the nightmare. With the key, they forge an admin cookie. Now authenticated, they exploit a sandbox escape in the workflow expression engine using this nasty one-liner:

By accessing this.process.mainModule.require, they break out of the Node.js jail and execute system commands as the n8n user.

Who cares?

Developers, DevOps engineers, and anyone using n8n to glue their APIs together. If you are running a vulnerable version (pre-1.121.0), an unauthenticated attacker can steal your secrets and turn your automation server into a crypto-miner (or worse). n8n isn’t “just an app”—it’s usually a credentialed automation hub. A compromise here often becomes a supply-chain-of-your-own-infrastructure problem: attackers don’t just get one host, they get everything n8n is allowed to talk to.

What can I do?

Update n8n to version 1.121.0 or later immediately. Also, check your encryptionKey—if you suspect a breach, rotate it, because patching doesn't fix a stolen key.

Trellix Customers: Trellix Intrusion Prevention System (IPS) contains coverage for these vulnerabilities. Ensure that at least signature set 11.10.37.2 is applied, and the HTTP Response option is enabled.

CVE-2026-21962: The Oracle Speaks... Arbitrary Commands

What is it?

A critical flaw in the Oracle WebLogic Server Proxy Plug-in. It’s a classic path traversal setup (..;) that allows attackers to access restricted internal servlets. Once inside, they use HTTP header injection (via WL-Proxy-Client-IP) to pass commands.

The attack vector is surprisingly direct. Attackers send a request with a header like:

WL-Proxy-Client-IP: cmd: <Base64 Encoded Command>

The server erroneously processes the cmd: prefix as a directive rather than network metadata, executing the encoded string as a system command.

Who cares?

Enterprises running Oracle HTTP Server or WebLogic. This requires zero authentication and provides full system compromise. If you have "Oracle" in your tech stack, check this now.

What can I do?

Apply the Oracle Critical Patch Update (CPU). Configure your WAF to drop requests with ..; directory traversal attempts and suspicious cmd: headers.

Trellix Customers: Trellix Intrusion Prevention System (IPS) contains coverage for these vulnerabilities. Ensure that at least the signature set 11.10.37.5 is applied.

Discover the latest cybersecurity research from the Trellix Advanced Research Center: https://www.trellix.com/advanced-research-center/