Maximum-severity n8n flaw enables unauthenticated takeover of servers

TL;DR

A critical vulnerability in the automation platform n8n (CVE-2026-21858), rated CVSS 10.0 and nicknamed "ni8mare," allows unauthenticated remote code execution via malformed webhooks. n8n released a patch in version 1.121.0; organizations running self-hosted instances are urged to upgrade immediately because no workaround exists.

What happened

Security researchers at Cyera disclosed a maximum-severity vulnerability in the open-source automation tool n8n that permits unauthenticated attackers to execute arbitrary code on reachable instances. The issue, tracked as CVE-2026-21858 and dubbed "ni8mare," stems from how the application processes incoming webhooks. By exploiting a Content-Type confusion in HTTP headers, an attacker can overwrite internal variables, read files from the host, and escalate to full remote code execution. Cyera estimates roughly 100,000 servers may be exposed. The bug was privately reported to n8n on November 9, 2025; n8n confirmed the report the next day and issued a fix in release 1.121.0 on November 18. Because the flaw does not require authentication, any network access to a vulnerable instance can be enough for a compromise. There is no available mitigation other than installing the update.

Why it matters

• n8n is widely deployed and often granted access to API keys, databases and cloud services, so a compromised instance can expose many high-value secrets.
• Unauthenticated remote code execution means attackers do not need valid credentials to take control of an instance.
• Self-hosted deployments may lag on patching, leaving many installations vulnerable for extended periods.
• Centralized automation platforms can act as a pivot point to broader enterprise infrastructure if breached.

Key facts

• Vulnerability identifier: CVE-2026-21858.
• Severity rating: CVSS 10.0 (maximum score).
• Nickname used by researchers: "ni8mare."
• Attack type: unauthenticated remote code execution via webhook handling.
• Root cause: Content-Type confusion that allows overwriting internal application variables.
• Estimated exposed instances: about 100,000 servers, according to Cyera.
• Patch: n8n version 1.121.0 (released November 18, 2025).
• Timeline: privately reported November 9, 2025; vendor confirmed November 10 and patched November 18.
• No workaround exists other than applying the vendor's update.
• n8n claims more than 100 million Docker pulls and is used to connect many services and credentials.

What to watch next

• Whether proof-of-concept exploit code or active attack campaigns targeting unpatched n8n instances appear (not confirmed in the source).
• Reports of organizations discovering compromises tied to this vulnerability (not confirmed in the source).
• How quickly self-hosted deployments adopt version 1.121.0, and whether downstream distributions issue advisories (not confirmed in the source).

Quick glossary

• Remote Code Execution (RCE): A vulnerability that allows an attacker to run arbitrary code on a target system, potentially gaining full control.
• Webhook: An HTTP callback used by services to send real-time data to an application when specific events occur.
• CVSS score: Common Vulnerability Scoring System; a numeric value that indicates the severity of a vulnerability.
• Content-Type header: An HTTP header that indicates the media type of the request body, used by servers to determine how to parse incoming data.
• Self-hosted: Software deployed and operated by an organization on infrastructure it controls, rather than accessed as a managed cloud service.

Reader FAQ

Is there a patch available for this vulnerability?
Yes. n8n released a fix in version 1.121.0; users should upgrade to 1.121.0 or later.

Can this be mitigated without updating?
No workaround is reported in the source; the only mitigation given is to apply the vendor patch.

How widespread is the exposure?
Cyera estimates roughly 100,000 vulnerable servers may exist.

Has this vulnerability been used in attacks in the wild?
Not confirmed in the source.

What should administrators do now?
Apply the n8n 1.121.0 update as soon as possible and review any instances for suspicious activity (general best practice; specific detection steps not provided in the source).

PATCHES Maximum-severity n8n flaw lets randos run your automation server Unauthenticated RCE means anyone on the network can seize full control Carly Page Thu 8 Jan 2026 // 11:40 UTC A maximum-severity bug in…

Sources

• Maximum-severity n8n flaw lets randos run your automation server
• Critical n8n Vulnerability (CVSS 10.0) Allows …
• Maximum‑severity 'Ni8mare' flaw exposes n8n to full …
• Maximum Severity “Ni8mare” Bug Lets Hackers Hijack n8n …

Related posts

• OpenAI applies patchwork fixes as ChatGPT prompt-injection flaws persist
• Examining a recurring BGP route leak from Venezuela’s CANTV (AS8048)
• Cloudflare disputes claims BGP anomalies signalled US cyber strike on Venezuela