In early January 2026, cybersecurity researchers disclosed a maximum-severity security flaw in the popular open-source workflow automation platform n8n. Tracked as CVE-2026-21858 and nicknamed “Ni8mare,” this vulnerability carries a CVSS score of 10.0 — the highest possible rating, meaning exploitation is both easy and catastrophic for unpatched systems.
The flawed parser logic
Source: Cyera
What is n8n and Why It Matters
N8n is an open-source automation platform that allows users to visually connect applications, APIs, databases, cloud services and AI tooling into automated workflows without writing code. It’s widely adopted across tech teams, especially where artificial intelligence and data pipelines are concerned:
- Over 100 million pulls on Docker Hub
- More than 50,000 weekly downloads from npm
- Used to orchestrate AI agents, build RAG pipelines, and automate data ingestion tasks
Given its role as a central automation hub, n8n typically stores API keys, OAuth tokens, database credentials, cloud storage access, CI/CD secrets and other business-critical data — making a compromise especially severe.
Inside the Ni8mare Vulnerability
At its core, CVE-2026-21858 stems from improper input and content-type handling in n8n’s webhook and file-processing logic. Certain form-based workflows can be manipulated to bypass normal data parsing safeguards, allowing an attacker to control file metadata, including file paths, then read arbitrary files on the server.
Triggering Ni8mare (CVE-2026-21858) to access the database
Source: Cyera
Once an attacker can read files:
- They can expose sensitive configurations and credentials
- They can forge session cookies
- They can potentially gain administrative access
- And ultimately execute arbitrary code on the underlying host
In short, an unauthenticated remote attacker can take complete control of a vulnerable n8n instance.
Scale of the Problem
Early reports from security monitoring groups estimate more than 100,000 vulnerable n8n instances worldwide, particularly self-hosted deployments running versions older than 1.121.0.
A separate analysis highlighted that nearly 60,000 instances exposed online remain unpatched, posing a substantial global risk — with affected servers spread across the U.S., Europe and Asia among other regions.
Where n8n is exposed to the public internet without proper access controls, attackers have a direct entry point to exploit Ni8mare.
Timeline & Disclosure
- 9 November 2025: Cyera researchers discovered the flaw and reported it to the n8n development team.
- 18 November 2025: n8n published a patched version, 1.121.0, resolving Ni8mare.
- 7 January 2026: The vulnerability was officially cataloged as CVE-2026-21858, alongside public advisories and analyses.
Mitigation and Response
There is no official workaround for Ni8mare aside from patching. Security teams are urged to:
- Upgrade immediately to n8n version 1.121.0 or later.
- Restrict or disable publicly accessible webhooks and form endpoints unless absolutely necessary.
- Monitor exposed instances and internal workflows for signs of compromise.
Because the flaw can be triggered without authentication and works across a wide range of vulnerable versions, delaying an update significantly increases risk.
Key Takeaways
- Ni8mare (CVE-2026-21858) is a critical unauthenticated remote code execution flaw in n8n.
- It affects versions below 1.121.0 and has a CVSS severity of 10.0 — the highest possible.
- Tens of thousands of servers remain exposed online.
- The vulnerability can lead to full server takeover and data exposure.
- The only reliable mitigation is upgrading to the patched release.
FAQs
1. What exactly is the Ni8mare vulnerability?
Ni8mare is a maximum-severity security flaw tracked as CVE-2026-21858. It allows an unauthenticated remote attacker to read arbitrary files on an n8n server, which can lead to credential theft, admin session forgery, and full server takeover.
2. Does Ni8mare require authentication to exploit?
No. The vulnerability is fully exploitable without authentication. Any n8n instance exposed to the internet and running a vulnerable version can be attacked remotely, making public-facing deployments the highest-risk targets.
3. Which versions of n8n are affected?
All n8n versions prior to 1.121.0 are vulnerable.
Version 1.121.0 and later fully patch the issue. There are no partial fixes or configuration-only mitigations that remove the risk on older versions.
4. What data can attackers access if Ni8mare is exploited?
An attacker can potentially access:
- API tokens and OAuth credentials
- Database usernames and passwords
- Cloud service keys (AWS, GCP, Azure, etc.)
- Workflow logic and automation triggers
- Session cookies that enable admin account hijacking
Because n8n often acts as a central automation brain, the blast radius can extend well beyond the n8n server itself.
5. How widespread is the exposure risk?
Security scans identified tens of thousands of internet-exposed n8n instances, with estimates exceeding 100,000 total vulnerable deployments worldwide at disclosure time. A significant number remain unpatched, particularly among self-hosted environments.
Read more: https://cyber.rothian.com/mongodb-mongol-vulnerability-cve/