Critical n8n Vulnerability (CVSS 10.0) Allows Unauthenticated Attackers to Take Full Control
A critical security vulnerability has been identified in n8n, a widely-used open-source workflow automation platform. This flaw, designated as CVE-2026-21858 with a CVSS score of 10.0, enables unauthenticated remote attackers to gain complete control over affected instances. The vulnerability, dubbed Ni8mare by Cyera Research Labs, was discovered by security researcher Dor Attias and reported on November 9, 2025.
Understanding the Vulnerability
CVE-2026-21858 arises from a Content-Type confusion flaw within n8n’s webhook and file-handling mechanisms. Webhooks in n8n are designed to receive data from external applications and services when specific events occur. The vulnerability is exploited through the following process:
1. Parsing Mechanism Flaw: n8n’s function `parseRequestBody()` reads the Content-Type header of incoming requests to determine the appropriate parsing method. If the header is set to multipart/form-data, indicating form data, the function `parseFormData()` is invoked to handle file uploads. For all other content types, `parseBody()` is used to process the request body.
2. Global Variable Manipulation: The `parseFormData()` function utilizes the `formidable` Node.js module to parse form data and stores the decoded result in a global variable `req.body.files`. This data is then processed by the webhook. However, the regular body parser processes the request body and stores the extracted data in a different global variable, `req.body`.
3. Exploitation: An attacker can craft a malicious HTTP request with a manipulated Content-Type header and body structure to exploit this parsing mechanism flaw. By doing so, they can override internal state, access sensitive files—including authentication secrets—forge administrator sessions, and ultimately execute arbitrary code on the host system.
Impacted Versions and Immediate Actions
All versions of n8n up to and including 1.65.0 are vulnerable to CVE-2026-21858. The issue has been addressed in version 1.121.0, released on November 18, 2025. Users are strongly advised to upgrade to this version or later to mitigate the risk.
Potential Consequences of Exploitation
Successful exploitation of this vulnerability can lead to:
– Full System Compromise: Attackers can gain complete control over the affected n8n instance, allowing them to execute arbitrary commands with the same privileges as the n8n process.
– Data Exfiltration: Unauthorized access to sensitive information stored on the system, including credentials and personal data.
– Workflow Manipulation: Modification or sabotage of existing workflows, potentially disrupting business operations.
– Lateral Movement: Use of the compromised n8n instance as a foothold to access other systems within the network.
Recent Security Concerns in n8n
This disclosure follows a series of critical vulnerabilities identified in n8n over the past weeks:
1. CVE-2025-68613: An improper control of dynamically-managed code resources, allowing authenticated attackers to achieve remote code execution under certain conditions. Fixed in versions 1.120.4, 1.121.1, and 1.122.0.
2. CVE-2025-68668 (N8scape): A sandbox bypass vulnerability enabling authenticated users with workflow creation or modification permissions to execute arbitrary commands on the host system. Fixed in version 2.0.0.
3. CVE-2026-21877: An unrestricted upload of a file with a dangerous type vulnerability, allowing authenticated attackers to execute untrusted code via the n8n service, leading to full instance compromise. Fixed in version 1.121.3.
Mitigation Strategies
While upgrading to the patched version is the most effective mitigation, if immediate patching is not feasible, administrators should consider the following temporary measures:
– Disable the Git Node: Reducing the attack surface by disabling nodes that may be exploited.
– Restrict Access: Limiting access for untrusted or low-privilege users to minimize potential exploitation avenues.
– Apply Node-Level Controls: Implementing controls to block specific nodes at runtime, as outlined in n8n’s documentation on blocking access to nodes.
Conclusion
The discovery of CVE-2026-21858 underscores the critical importance of maintaining up-to-date software and implementing robust security practices. Organizations utilizing n8n should prioritize upgrading to the latest version to protect their systems from potential exploitation. Additionally, reviewing and strengthening access controls, monitoring for unusual activity, and educating users on security best practices are essential steps in safeguarding against such vulnerabilities.
