Ni8mare - Unauthenticated Remote Code Execution in n8n (CVE-2026-21858) | Cyera Research Labs
Ni8mare - Unauthenticated Remote Code Execution in n8n (CVE-2026-21858) | Cyera Research Labs
Ni8mare - Unauthenticated Remote Code Execution in n8n (CVE-2026-21858) | Cyera Research Labs
A critical vulnerability (CVE-2026-21858) dubbed "Ni8mare" allows unauthenticated attackers to gain complete control over n8n workflow automation instances[1]. The flaw, which received the highest CVSS score of 10.0, affects all versions prior to 1.121.0 and enables attackers to read files, bypass authentication, and execute arbitrary commands[2].
The vulnerability stems from a Content-Type confusion in n8n's Form Webhook handling, where attackers can manipulate file paths to read sensitive system files and escalate privileges[3]. Cyera Research Labs discovered approximately 100,000 exposed servers globally are at risk[1].
Key timeline:
- November 9, 2025: Vulnerability reported to n8n
- November 18, 2025: Patched in version 1.121.0
- January 6, 2026: CVE assigned
- January 7, 2026: Public disclosure
Censys reports 26,512 exposed n8n hosts, with most located in the US (7,079), Germany (4,280), and France (2,655)[^4].
Required actions:
- Upgrade to version 1.121.0 or later
- Avoid exposing n8n to the internet
- Require authentication for all Forms
- Rotate stored credentials and API tokens[^2]
[1]: [Cyera Research Labs - Ni8mare - Unauthenticated Remote Code Execution in n8n](https://www.cyera.com/research-labs/ni8mare-unauthenticated-remote-code-execution-in-n8n-cve-2026-21858) [2]: Aikido - n8n Critical Vulnerability Explained [3]: [The Hacker News - Critical n8n Vulnerability Allows Unauthenticated Attackers to Take Full Control](https://thehackernews.com/2026/01/critical-n8n-vulnerability-cvss-100.html) [4]: The Hacker News - Update section on Censys findings