A new critical vulnerability found in N8N, codenamed “Ni8mare,” has been discovered in the popular workflow automation platform n8n. The flaw allows unauthenticated attackers to bypass authentication, read sensitive local files, and ultimately achieve Remote Code Execution (RCE) on the host system.
With a CVSS score of 10.0, this is a “drop everything and patch” event for organizations running self-hosted n8n instances.
SECURITY ADVISORY: CRITICAL “NI8MARE” VULNERABILITY (CVE-2026-21858) EXPOSES N8N INSTANCES TO FULL TAKEOVER
Severity: CRITICAL (CVSS 10.0) Vulnerability ID: GHSA-v4pr-fm98-w9pg / CVE-2026-21858
Key Points: What Happened?
The Root Cause: The vulnerability stems from “Content-Type Confusion” in how n8n handles incoming webhook requests. Specifically, the system failed to validate that form-based data was actually sent as multipart/form-data.
The Exploit Path: Attackers can craft a malicious request to a webhook or form endpoint. By manipulating the request body, they can trick n8n into reading any file on the server that the n8n process has permission to access.
Authentication Bypass: Using the file-read primitive, attackers can steal the n8n SQLite database and the encryption key used to sign session cookies. This allows them to forge an administrative session cookie and log in without a password.
Full System Compromise: Once logged in as an admin, an attacker can use the built-in “Execute Command” node to run arbitrary shell commands, leading to a complete server takeover.
Impact: Who is at Risk?
- Affected Versions: All versions starting from 1.65.0 and below 1.121.0.
- Deployment Type: Primarily affects self-hosted (local) instances. n8n Cloud users are generally protected as the maintainers have already applied mitigations to their managed infrastructure.
- Data at Risk: Because n8n acts as a “glue” for various enterprise tools, a compromise exposes API keys, database credentials, and sensitive internal workflows connected to the platform.
In response by n8n “A vulnerability in n8n allows an attacker to access files on the underlying server through execution of certain form-based workflows. A vulnerable workflow could grant access to an unauthenticated remote attacker. This could result in exposure of sensitive information stored on the system and may enable further compromise depending on deployment configuration and workflow usage.”
FAQs: What You Need to Know
Q: Do I need to be logged in for this to be exploited?
A: No. This is an unauthenticated vulnerability. Anyone with network access to your n8n webhook or form endpoints can attempt the exploit.
Q: Is there an active exploit in the wild?
A: While there are no confirmed reports of mass exploitation yet, technical details and Proof-of-Concept (PoC) logic have begun circulating in the security community. The ease of exploitation makes immediate action necessary.
Q: Is there a workaround if I can’t patch immediately?
A: There is no official software workaround. However, you can temporarily mitigate the risk by:
- Restricting access to your n8n instance via a VPN or Firewall.
- Disabling any publicly accessible Webhook or Form nodes.
- Placing n8n behind a Web Application Firewall (WAF) that can inspect and block suspicious multipart requests.
The Solution: How to Fix
The n8n team has released an emergency patch to address this flaw.
Update immediately to n8n version 1.121.0 or later.
Rotate Secrets: If you suspect your instance was exposed, it is highly recommended to rotate your N8N_ENCRYPTION_KEY and all credentials stored within your n8n credentials vault after patching.
Audit Logs: Check your execution logs for any unauthorized workflows or unusual activity originating from the “Execute Command” node.
This disclosure comes on the heels of several other critical n8n vulnerabilities (such as CVE-2025-68668 and CVE-2025-68613) reported earlier this month. It highlights a growing trend of attackers targeting “automation layers”—the central hubs of modern business infrastructure. If you are running n8n, now is the time to audit your security posture and ensure your update pipelines are automated.
