top of page
perceptive_background_267k.jpg

Max severity Ni8mare flaw impacts nearly 60,000 n8n instances

Published:

12 January 2026 at 14:05:54

Alert date:

12 January 2026 at 15:00:33

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Enterprise Applications, Zero-Day Vulnerabilities

A maximum-severity vulnerability dubbed 'Ni8mare' affects nearly 60,000 n8n instances exposed online. The flaw remains unpatched across the majority of affected systems, posing significant security risks. n8n is a workflow automation tool that allows users to connect different services and APIs. The vulnerability's maximum severity rating indicates it could allow for complete system compromise. With tens of thousands of instances remaining vulnerable, this represents a widespread security threat requiring immediate attention from administrators.

Technical details

CVE-2026-21858 is a maximum severity vulnerability dubbed 'Ni8mare' affecting n8n workflow automation platform. The flaw stems from improper input validation weakness that allows remote, unauthenticated attackers to take control over locally deployed n8n instances after gaining access to files on the underlying server. The vulnerability is specifically a content-type confusion in how n8n parses data. An n8n instance is potentially vulnerable if it has an active workflow with a Form Submission trigger accepting a file element, and a Form Ending node returning a binary file. The vulnerability can be exploited to expose secrets stored on the instance, forge session cookies to bypass authentication, inject sensitive files into workflows, or even execute arbitrary commands.

Mitigation steps:

Upgrade n8n instances to version 1.121.0 or later as soon as possible. For admins who cannot immediately upgrade, restrict or disable publicly accessible webhook and form endpoints. Use the provided workflow template to scan instances for potentially vulnerable workflows. Nearly 60,000 instances remain exposed online with over 28,000 IPs in the United States and over 21,000 in Europe requiring immediate attention.

Affected products:

n8n versions 1.65-1.120.4
n8n workflow automation platform

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-21858
https://cwe.mitre.org/data/definitions/20.html
https://community.n8n.io/t/security-advisory-security-vulnerability-in-n8n-versions-1-65-1-120-4/247305
https://www.bleepingcomputer.com/news/security/max-severity-ni8mare-flaw-lets-hackers-hijack-n8n-servers/
https://bsky.app/profile/shadowserver.bsky.social/post/3mc3tfgjqk22o
https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=other_range&d1=2026-01-08&d2=2026-01-11&source=http_vulnerable&source=http_vulnerable6&tag=cve-2026-21858%2B&dataset=unique_ips&limit=100&group_by=geo&stacking=stacked&auto_update=on
https://community.n8n.io/uploads/short-url/cpAkGQqvp9xCkofHOVr7J8oSSvC.json

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page