Ni8mare: CVE-2026-21858 Enables Full Takeover of Internet-Exposed n8n Instances

CyberDefender 5 mins0
  • CVE ID: CVE-2026-21858
  • Severity: Critical
  • CVSS v3.1: 10.0 (AV:N / AC:L / PR:N / UI:N / S:C / C:H / I:H / A:H)
  • Attack Vector: Network
  • Authentication Required: None
  • Vulnerable : All n8n versions prior to 1.121.0

This vulnerability allows unauthenticated remote attackers to achieve arbitrary file access and remote code execution (RCE), leading to complete system compromise of vulnerable n8n instances.

Technical Root Cause

The issue originates from improper request parsing and content-type handling in n8n’s webhook and form-processing logic.

Key Technical Flaws

  1. Improper Content-Type Validation
    • The server does not strictly enforce or validate expected Content-Type headers.
    • Attackers can supply malformed or misleading content types (e.g., mixed multipart/form-data, application/json, or crafted boundary values).
  2. Unsafe Request Body Parsing
    • Incoming payloads are deserialized in a way that allows:
      • Object structure manipulation
      • Path traversal during file handling
      • Injection of attacker-controlled data into internal workflow execution paths
  3. Trust Boundary Violation
    • User-supplied data crosses directly into privileged execution contexts:
      • Workflow definitions
      • Credential resolution
      • File system access
    • This occurs prior to authentication checks, violating core zero-trust principles.

Exploitation Chain (High-Level)

A successful exploit typically follows this sequence:

  1. Unauthenticated HTTP request sent to a public webhook or form endpoint
  2. Crafted Content-Type and body payload manipulate how n8n parses the request
  3. Arbitrary file read (e.g., configuration files, credential stores)
  4. Secrets exposure
    • API keys
    • OAuth tokens
    • Database credentials
  5. Escalation to RCE
    • Malicious workflow injection
    • Command execution through node evaluation or unsafe templating
  6. Full host takeover
    • Persistence
    • Lateral movement via connected services

No user interaction or credentials are required at any stage.

Impact Assessment

Direct Impact

  • Remote code execution as the n8n service user
  • Complete loss of confidentiality, integrity, and availability
  • Exposure of all workflows and stored credentials

Indirect / Cascading Impact

Because n8n is commonly integrated with:

  • Cloud providers (AWS, GCP, Azure)
  • CI/CD pipelines
  • CRMs and ticketing systems
  • Internal APIs and databases

A single compromised instance can act as a pivot point into broader enterprise infrastructure.

Exposure at Scale

Security researchers report tens of thousands of internet-facing n8n instances, many:

  • Deployed with default configurations
  • Exposed directly to the public internet
  • Running with elevated filesystem or Docker privileges

This dramatically increases the likelihood of mass exploitation and automated scanning attacks.

Affected Versions

  • Vulnerable:
    • All n8n versions prior to 1.121.0
  • Patched:
    • n8n ≥ 1.121.0

The fixed release introduces stricter request parsing, hardened content-type validation, and improved boundary enforcement.

Mitigation & Defensive Guidance

Immediate Actions (High Priority)

  1. Upgrade immediately to n8n 1.121.0 or later
  2. Rotate all credentials stored in n8n (assume compromise if exposed)
  3. Audit workflow definitions for unauthorized changes

Hardening Recommendations

  • Remove public internet exposure; place n8n behind:
    • VPN
    • Reverse proxy with authentication
    • IP allowlists
  • Disable unused webhook endpoints
  • Run n8n with:
    • Least-privilege filesystem access
    • Non-root containers
  • Enable:
    • HTTP request logging
    • Anomaly detection on webhook usage

Detection Indicators

  • Unexpected workflow executions
  • Webhook requests with unusual Content-Type headers
  • Sudden access to credential-related nodes
  • Outbound connections from the n8n host to unknown destinations

Strategic Takeaway

CVE-2026-21858 (“Ni8mare”) highlights a systemic risk in automation platforms:

Tools that orchestrate powerful integrations become high-value targets, and even a single unauthenticated parsing flaw can result in total environment compromise.

Organizations should treat workflow automation engines with the same security rigor as:

  • CI/CD systems
  • Identity providers
  • Cloud control planes

CyberDefender