top of page
perceptive_background_267k.jpg

Critical n8n Vulnerability (CVSS 10.0) Allows Unauthenticated Attackers to Take Full Control

Published:

7 January 2026 at 13:48:00

Alert date:

7 January 2026 at 16:02:13

Source:

thehackernews.com

Click to open the original link from this advisory

Enterprise Applications, Zero-Day Vulnerabilities, Web Technologies

Cyera Research Labs disclosed a critical vulnerability (CVE-2026-21858) in n8n workflow automation platform with maximum CVSS score of 10.0. The flaw, codenamed Ni8mare, allows unauthenticated remote attackers to gain complete control over vulnerable instances. Security researcher Dor Attias from Cyera Research Labs discovered this maximum-severity security flaw. The vulnerability affects the popular workflow automation platform n8n and represents a significant security risk due to its unauthenticated remote access nature.

Technical details

CVE-2026-21858 is a Content-Type confusion vulnerability in n8n webhook and file handling mechanism. The vulnerability exists in the parseRequestBody() function that routes requests based on Content-Type headers. When Content-Type is multipart/form-data, it uses parseFormData() storing data in req.body.files; otherwise uses parseBody() storing data in req.body. The flaw occurs when file-handling functions like copyBinaryFile() are called without verifying Content-Type is multipart/form-data, allowing attackers to control req.body.files object and manipulate filepath parameters to read arbitrary local files instead of uploaded files. The vulnerable flow is in formWebhook() function that invokes copyBinaryFile() to act on req.body.files without proper validation.

Mitigation steps:

Upgrade to n8n version 1.121.0 or later immediately
Avoid exposing n8n to the internet
Enforce authentication for all Forms
Restrict or disable publicly accessible webhook and form endpoints as temporary workaround
Monitor for unauthorized access to sensitive files like /home/node/.n8n/database.sqlite and /home/node/.n8n/config
Review and secure API credentials, OAuth tokens, database connections, and cloud storage access

Affected products:

n8n workflow automation platform - all versions prior to and including 1.65.0

Related links:

https://www.npmjs.com/package/n8n?activeTab=versions
https://www.cyera.com/research-labs/ni8mare-unauthenticated-remote-code-execution-in-n8n-cve-2026-21858
https://github.com/n8n-io/n8n/security/advisories/GHSA-v4pr-fm98-w9pg
https://thehackernews.com/2025/12/critical-n8n-flaw-cvss-99-enables.html
https://thehackernews.com/2026/01/new-n8n-vulnerability-99-cvss-lets.html
https://thehackernews.com/2026/01/n8n-warns-of-cvss-100-rce-vulnerability.html
https://docs.n8n.io/integrations/builtin/core-nodes/n8n-nodes-base.webhook/
https://docs.n8n.io/integrations/creating-nodes/build/reference/http-helpers/
https://github.com/node-formidable/formidable
https://docs.n8n.io/integrations/builtin/core-nodes/n8n-nodes-base.executecommand/

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page