VTA-004551 – Ni8mare Flaw Exposes n8n Automation Servers to Unauthenticated Takeover

A critical vulnerability in n8n, a widely used open-source workflow automation platform that connects applications, APIs and internal services to streamline business processes. Tracked as CVE-2026-21858 and nicknamed “Ni8mare,” this flaw has been assigned the highest possible severity score of 10.0 (CVSS) due to its ability to allow unauthenticated remote attackers to execute arbitrary code on vulnerable instances without needing credentials.

The vulnerability stems from a content-type parsing flaw in the platform’s handling of Form Webhook endpoints, where improper input validation enables attackers to supply specially crafted requests that bypass normal safeguards. By exploiting this logic weakness, a remote adversary can trigger a chain of malicious file access, extract sensitive information like credentials or configuration secrets, manipulate session tokens, and escalate into full remote code execution on the hosting server. This attack path essentially collapses multiple security boundaries with a single malformed request, making the issue especially dangerous for publicly exposed or poorly segmented deployments.

Self-hosted n8n instances running versions prior to 1.121.0 are affected and estimates suggest that hundreds of thousands of deployments worldwide may be reachable and exploitable due to widely exposed webhook and form endpoints. Because n8n often holds elevated access including API keys, OAuth tokens, database connections and integration credentials across an organization’s IT ecosystem a successful exploit doesn’t just compromise the automation engine itself; it potentially opens the door to broader infrastructure breaches and data theft.

Severity:
Medium

Attack Surface:
Infrastructure, System Management Service, Web Application

Tactics:
Credential Access, Discovery, Execution, Initial Access, Lateral Movement, Privilege Escalation

Techniques:
T1190 – Exploit Public-Facing Application
T1059 – Command and Scripting Interpreter
T1068 – Exploitation for Privilege Escalation
T1552 – Unsecured Credentials
T1083 – File and Directory Discovery
T1078.002 – Privilege Escalation: Valid Accounts

Indicator of Compromise:
1. https://otx.alienvault.com/pulse/69609819a850da6d7d6c3dbc

References:
1. https://www.cyera.com/research-labs/ni8mare-unauthenticated-remote-code-execution-in-n8n-cve-2026-21858

SuperPRO’s Threat Countermeasures Procedures:
1. Immediately upgrade n8n to version 1.121.0 or later, which patches CVE-2026-21858.
2. For self-hosted deployments, restrict public exposure of Form Webhook endpoints, enforce network-level access controls (IP allowlists or VPN) and rotate all stored credentials (API keys, OAuth tokens, database secrets) created prior to patching.
3. Review workflow execution logs for unauthenticated requests and unexpected file system access.

Contributed by: Thivya