Critical n8n Vulnerability (CVSS 10.0) Allows Unauthenticated Attackers to Take Full Control: CVE-2026-21858
Estimated Reading Time: 7 minutes
Key Takeaways:
- CVE-2026-21858 (Ni8mare) is a maximum-severity vulnerability (CVSS 10.0) allowing full remote code execution.
- The flaw is unauthenticated, meaning attackers do not need a login to exploit the system.
- Exploitation involves “Content-Type” confusion to read internal databases and extract encryption secrets.
- Over 26,000 instances are currently exposed globally, primarily in the US and Germany.
- Immediate upgrade to version 1.121.0 or later is mandatory for all users.
Table of Contents
- Overview of the Ni8mare Flaw
- Technical Analysis of the Ni8mare Vulnerability
- The Exploit Path to Remote Code Execution (RCE)
- Broader Context of n8n Security Flaws
- Observed Exposure and Active Exploitation
- Strategic Impact on Supply-Chain Security
- Practical Takeaways for Stakeholders
- Addressing the Threat with PurpleOps
- Frequently Asked Questions
A maximum-severity security flaw has been identified in n8n, a widely used workflow automation platform. Tracked as CVE-2026-21858 (CVSS 10.0), this vulnerability allows an unauthenticated remote attacker to gain complete control over susceptible instances. Codenamed “Ni8mare” by Cyera Research Labs, the flaw was reported on November 9, 2025, and disclosed publicly following the release of patches. The vulnerability centers on a “Content-Type” confusion flaw that permits sensitive secret extraction, administrator access forgery, and arbitrary command execution on the underlying server.
The n8n platform is designed to handle complex data workflows, connecting various applications and services through webhooks. CVE-2026-21858 impacts the platform’s core file-handling and webhook parsing mechanisms. Specifically, the vulnerability resides in how n8n processes incoming HTTP requests before they are passed to individual workflow nodes. Unlike other recent vulnerabilities in the same ecosystem, this flaw requires no valid credentials, making it accessible to any actor with network access to the n8n instance.
Technical Analysis of the Ni8mare Vulnerability
The technical root of CVE-2026-21858 is found within the parseRequestBody() function. This function is responsible for determining how to process an incoming HTTP request based on the “Content-Type” header. The logic flow is as follows:
- If the “Content-Type” is set to
multipart/form-data, the function invokesparseFormData(), also known as the file upload parser. - For all other content types, the function invokes
parseBody(), the regular body parser.
The file upload parser utilizes the parse() function from the formidable Node.js module. This module decodes the form data and stores the resulting objects in a global variable called req.body.files. Under normal operational parameters, this data is only populated and processed by a webhook when the content type matches the expected form-data format.
The security failure occurs because certain internal functions, specifically those handling form submissions through formWebhook(), call file-handling functions like copyBinaryFile() without first validating that the request was actually processed as multipart/form-data. Because this validation step is absent, an attacker can send a standard JSON or text request that the platform interprets as a “regular” body, but structure that request to manually populate the req.body.files object.
By controlling the
req.body.filesobject, an attacker can manipulate the filepath parameter. Instead of the system copying a legitimate uploaded file, it can be instructed to copy any local file from the underlying server’s filesystem.
The Exploit Path to Remote Code Execution (RCE)
The primary primitive provided by CVE-2026-21858 is an arbitrary file read. However, in the context of a workflow automation tool, this primitive is easily escalated to full Remote Code Execution (RCE). An attacker targeting an organizational n8n instance can execute the following chain:
- Arbitrary File Read: Use the Content-Type confusion to target the n8n internal database, typically located at
/home/node/.n8n/database.sqlite. - Credential Extraction: Load the database into a knowledge-base or chat interface node within a vulnerable workflow to extract the administrator’s user ID, email address, and hashed password.
- Secret Retrieval: Use the same primitive to access the n8n configuration file at
/home/node/.n8n/configto obtain the encryption secret key. - Workflow Manipulation: With administrative access and the encryption key, the attacker can log in to the instance and create a new workflow containing an “Execute Command” node, resulting in full system compromise.
The data handled by n8n often includes API credentials, OAuth tokens, and database connection strings. A compromise of this nature provides attackers with a central point of access to the entire enterprise tech stack, effectively serving as a high-impact supply-chain risk.
Broader Context of n8n Security Flaws
The disclosure of CVE-2026-21858 follows a series of other critical vulnerabilities discovered in n8n over a short period. These include:
- CVE-2025-68613 (CVSS 9.9): Improper control of dynamically-managed code resources allowing authenticated RCE.
- CVE-2025-68668 / N8scape (CVSS 9.9): A sandbox bypass vulnerability allowing authenticated users to execute arbitrary host commands.
- CVE-2026-21877 (CVSS 10.0): Unrestricted file upload of dangerous types, allowing authenticated attackers to execute untrusted code.
While these previous flaws required some level of authentication, CVE-2026-21858 is significantly more dangerous due to its unauthenticated nature. Information regarding these exploits is frequently tracked via a cyber-threat intelligence platform to monitor for active scanning and exploitation attempts.
Observed Exposure and Active Exploitation
Data from the Censys attack surface management platform indicates that approximately 26,512 n8n hosts are currently exposed to the internet. The geographical distribution includes the United States (7,079), Germany (4,280), France (2,655), Brazil (1,347), and Singapore (1,129). This high volume of internet-facing instances provides a significant target surface for threat actors utilizing real-time ransomware intelligence to identify vulnerable infrastructure for initial access.
In addition to the n8n vulnerability, CISA recently added two other critical flaws to its Known Exploited Vulnerabilities (KEV) catalog:
- CVE-2025-37164 (CVSS 10.0): A code injection vulnerability in Hewlett Packard Enterprise (HPE) OneView.
- CVE-2009-0556 (CVSS 8.8): An older code injection vulnerability in Microsoft Office PowerPoint.
The inclusion of these vulnerabilities in the KEV catalog indicates they are being actively exploited in the wild. A dark web monitoring service or telegram threat monitoring can often identify when proof-of-concept (PoC) code for such vulnerabilities is shared among threat actor groups.
Strategic Impact on Supply-Chain Security
Automation platforms like n8n represent a critical node in supply-chain risk monitoring. Because these tools are designed to facilitate data movement between disparate systems, they often hold high-privilege credentials for cloud environments, financial systems, and customer databases.
When a vulnerability like CVE-2026-21858 is discovered, the risk is not limited to the host server. The “blast radius” includes every integrated application. Threat actors can use the compromised n8n instance to pivot into internal networks, exfiltrate sensitive data, or deploy ransomware across the connected infrastructure. Utilizing a live ransomware API can help organizations correlate internal logs with known attacker infrastructure to identify if a breach is in progress.
Practical Takeaways for Stakeholders
Technical Action Items:
- Version Verification: Immediately check n8n versions. Vulnerabilities exist in all versions prior to and including 1.65.0.
- Mandatory Upgrade: Deploy n8n version 1.121.0 or later.
- Network Isolation: Remove n8n instances from the public internet. Access should be restricted to VPN or Zero-Trust Access Gateways.
- Log Analysis: Audit server logs for unusual HTTP requests where the “Content-Type” header does not match the expected payload structure.
Non-Technical/Business Action Items:
- Asset Inventory: Confirm where automation tools are deployed within the organization.
- Risk Assessment: Evaluate the sensitivity of credentials stored within automation platforms.
- Policy Enforcement: Ensure all “shadow IT” automation platforms are managed by centralized IT security teams.
Addressing the Threat with PurpleOps
The complexity of modern automation necessitates a proactive security posture. PurpleOps provides a comprehensive suite of services designed to identify, monitor, and mitigate these risks before they result in a full-scale breach.
Monitoring for exposed infrastructure is a core component of our cyber-threat intelligence services. By utilizing underground forum intelligence, we identify early discussions and PoC releases related to critical vulnerabilities, allowing our clients to patch systems before automated scanning begins.
Our dark web monitoring capabilities provide brand leak alerting for organizations whose credentials may have been compromised. In cases where an automation tool is integrated into the core business logic, our supply chain information security assessments help identify architectural weaknesses that could lead to lateral movement.
To ensure your systems are resilient, PurpleOps offers deep and red team operations to simulate real-world attack scenarios. These services are essential for breach detection and verifying security controls. For organizations concerned about ransomware, our ransomware protection strategies provide necessary layers of defense.
For more information on securing your automation infrastructure, explore the PurpleOps platform and our full range of PurpleOps Solutions.
Frequently Asked Questions
1. What is the severity of CVE-2026-21858?
It is a maximum-severity vulnerability with a CVSS score of 10.0, indicating the highest possible risk level.
2. Which n8n versions are vulnerable to Ni8mare?
All versions prior to and including 1.65.0 are affected. Users should upgrade to 1.121.0, 2.1.5, 2.2.4, 2.3.0, or later.
3. Does an attacker need a password to exploit this?
No. This is an unauthenticated vulnerability, meaning an attacker can gain control without any login credentials.
4. How does the exploit achieve Remote Code Execution (RCE)?
The exploit first allows an attacker to read local files, such as the internal database and encryption keys. With this information, they can forge admin access and use built-in “Execute Command” nodes to run shell commands.
5. How many systems are currently at risk?
Current data shows over 26,000 n8n instances are exposed to the internet and potentially vulnerable if not patched.