Maximum-severity n8n flaw lets randos run your automation server

Steven

Maximum-severity n8n flaw lets randos run your automation server

Summary

A critical, unauthenticated remote code execution (RCE) vulnerability (CVE-2026-21858), nicknamed “ni8mare”, affects the popular self-hosted automation platform n8n and carries a CVSS score of 10.0. Researchers at Cyera discovered a Content-Type confusion in the way n8n handles webhooks that allows an attacker to overwrite internal variables, read arbitrary files and escalate to full code execution. n8n released a fix in version 1.121.0 (shipped 2025-11-18). There is no workaround other than patching; unpatched instances reachable on the network can be completely compromised, exposing API keys, OAuth tokens, databases and other connected systems.

Key Points

  1. Unauthenticated RCE (CVE-2026-21858) in n8n enables full server takeover and carries a 10.0 CVSS score.
  2. The root cause is a Content-Type confusion in webhook processing that lets attackers overwrite internal application variables.
  3. An attacker who can reach a vulnerable instance can read files and achieve arbitrary code execution without credentials.
  4. n8n patched the issue in version 1.121.0 (2025-11-18); organisations must upgrade — there is no other effective mitigation.
  5. Because n8n centralises access to many services, a compromised instance can expose high-value secrets and has a very large blast radius.

Context and Relevance

n8n is widely deployed to automate workflows across chat apps, forms, storage, databases and third-party APIs. That central role means a single compromised n8n server can provide attackers with keys to many parts of an organisation’s infrastructure. The flaw underscores the risks of self-hosted orchestration tools and the importance of prompt patch management for internet-facing and shared internal services.

Why should I read this?

Quick and blunt: if n8n runs in your estate, this is one you can’t ignore. Patch to 1.121.0 right away or you might hand attackers the keys to everything. The piece explains how the bug works, why it matters, and what you need to do — so you don’t have to dig through the original research unless you want the technical deep dive.

Author style

Punchy: this is urgent and high-impact. If you manage infrastructure, treat it like an incident — inventory n8n instances, upgrade immediately, and hunt for signs of compromise. If you’re responsible for security posture, escalate and verify remediation across self-hosted deployments.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2026/01/08/n8n_rce_bug/