Critical n8n Vulnerability Allows Unauthenticated Remote Code Execution (CVE-2026-21858)

Key Takeaways

• A critical unauthenticated Remote Code Execution (RCE) vulnerability (CVE-2026-21858, CVSS 10.0) affects n8n, a widely used workflow automation platform.
  
• The vulnerability allows full compromise of locally deployed n8n instances, including arbitrary file access, authentication bypass, and command execution.
  
• The issue was discovered and responsibly disclosed by Cyera Research Labs, who named it 'Ni8mare' with patches released shortly after.
  
• Organizations running affected n8n versions should upgrade immediately and review exposure of Forms and Webhooks.
  
• Recent disclosures highlight automation platforms as high-impact attack surfaces due to their access to credentials, APIs, and internal systems.
  

In addition to CVE-2026-21858, n8n has disclosed other critical vulnerabilities in the same time period, including issues involving arbitrary file access and authenticated remote code execution. While the root causes differ, they collectively reinforce the importance of timely upgrades and minimizing exposure of workflow entry points.

TL;DR: How to Check If You Are Affected

You may be affected if you are running a self-hosted n8n instance on a version within the affected ranges disclosed by n8n, particularly versions prior to 1.121.0, and in some cases prior to 1.121.3 depending on configuration and enabled features. Risk is highest where Forms or Webhooks are publicly accessible.

Option 1: Use Aikido (Free)

Aikido helps teams identify:

• n8n instances running vulnerable versions
  
• Internet-exposed Forms and Webhooks
  
• Workflow configurations that meaningfully increase exploitability
  

This visibility is available in the free version of the Aikido platform.

Option 2: Manual Verification

• Check your running n8n version
  
• Review whether Form nodes accept unauthenticated input
  
• Inspect exposure of /form and /webhook endpoints
  
• Review enabled nodes that allow file access or command execution
  

Remediation Steps

Organizations running affected versions should:

1. Upgrade n8n to version 1.121.0 or later, and to 1.121.3 where applicable
   
2. Restrict unnecessary internet exposure of n8n
   
3. Require authentication for all Forms
   
4. Rotate API keys, OAuth tokens, and credentials stored in workflows
   
5. Review workflow execution logs for suspicious activity
   
6. Limit or disable the Execute Command node unless strictly required
   

Who Is Impacted

You may be impacted if:

• You operate a locally deployed n8n instance
  
• Your version falls within the affected ranges disclosed by n8n
  
• You expose Form or Webhook nodes to untrusted users
  

While some recently disclosed n8n vulnerabilities require an authenticated user, the most severe attack paths involve unauthenticated access to publicly exposed Forms or Webhooks. These issues primarily affect self-hosted deployments rather than managed SaaS environments.

Background

n8n is widely used to orchestrate workflows across cloud services, internal tools, AI systems, and business processes.

Because of this, a single n8n instance often has broad access to internal systems, privileged credentials and tokens, and the ability to trigger actions across environments. This makes automation platforms a high-value target for attackers.

What Is the Attack About?

CVE-2026-21858 exploits a Content-Type confusion flaw in how n8n parses incoming HTTP requests to Form Webhooks.

At a high level:

• Request parsing behavior depends on the Content-Type header
  
• Certain file-handling logic assumes multipart uploads
  
• Attackers can override internal file references using crafted JSON
  

This allows attackers to:

• Read arbitrary files from disk
  
• Extract secrets and databases
  
• Forge authentication sessions
  
• Execute arbitrary commands
  

Initial Impact

According to Cyera’s research:

• An estimated 100,000 servers may be exposed globally
  
• Organizations across multiple industries are affected
  
• Potentially exposed assets include:
  
  • Cloud and API credentials
    
  • OAuth tokens
    
  • CI/CD secrets
    
  • Sensitive business data
    

Technical Deep Dive

Where the Vulnerability Lived

The flaw resides in the Form Webhook node, which processes file uploads.

Unlike other webhook handlers, this path does not strictly enforce multipart content validation, assumes internal file objects are trusted, and copies attacker-controlled file paths into persistent storage.

What It Could Do

By chaining this flaw, attackers can:

• Read files such as /etc/passwd
  
• Extract the local SQLite database
  
• Recover encryption keys
  
• Forge valid admin sessions
  
• Execute arbitrary OS commands
  

Proof of Concept (High-Level)

Cyera demonstrated a complete compromise chain:

1. Arbitrary file read via Form submission
   
2. Credential and secret extraction from the database
   
3. Session forgery using recovered signing material
   
4. Full remote code execution
   

Why These Vulnerabilities Occur

These issues tend to arise when:

• User input influences trusted internal objects
  
• Content-Type assumptions are implicit rather than enforced
  
• Platforms accumulate high privilege and broad connectivity
  
• Security hardening lags behind feature expansion
  

FAQ: n8n Critical Vulnerabilities Explained

Is this the same issue as other recent n8n CVEs?

No. CVE-2026-21858 is an unauthenticated remote code execution vulnerability related to improper handling of webhook and form requests.

Other recent n8n advisories describe different issues, including authenticated vulnerabilities involving arbitrary file access or file writes. While technically distinct, they expose similar risks when workflow entry points are broadly accessible.

Does this affect n8n Cloud or only self-hosted deployments?

This issue primarily affects self-hosted n8n instances.

The most severe attack paths rely on access to local files and instance-level secrets, which are not exposed in the same way in managed environments.

Does exploitation require authentication?

No. For CVE-2026-21858, authentication is not required if vulnerable endpoints are exposed.

Unauthenticated attack paths are generally higher risk because they can be exploited remotely and at scale.

If I upgrade, am I fully protected?

Upgrading to the patched versions addresses the known vulnerabilities. However, security also depends on configuration.

Teams should combine upgrades with reduced exposure, authenticated Forms, and careful review of high-risk workflow nodes.

Why are automation platforms being targeted more often?

Automation platforms connect many systems and hold privileged credentials. Compromising one platform can provide access to multiple downstream systems, making them attractive targets for attackers.

How does Aikido help with issues like this?

Aikido helps teams:

• Detect vulnerable automation platforms in real environments
  
• Identify exposed Forms, Webhooks, and risky workflow entry points
  
• Prioritize issues based on real exploit paths, not just CVE severity
  
• Act quickly with clear remediation guidance
  

Conclusion

This vulnerability highlights a broader reality. Automation platforms have become critical infrastructure.

Securing them requires timely patching, reduced exposure, and visibility into how vulnerabilities can actually be exploited in real environments.

Appendix

• CVE: CVE-2026-21858
  
• Affected Versions: Versions prior to 1.121.0, and in some cases prior to 1.121.3
  
• Attack Type: Unauthenticated Remote Code Execution
  
• Components: Form Webhook, File Handling, Session Management
  

References

• Cyera Research Labs: Unauthenticated Remote Code Execution in n8n
  
• GitHub Security Advisories
  
• Aikido Intel

‍