A critical vulnerability (CVE-2026-21858) dubbed “Ni8mare” allows unauthenticated attackers to gain complete control over n8n workflow automation instances[^1]. The flaw, which received the highest CVSS score of 10.0, affects all versions prior to 1.121.0 and enables attackers to read files, bypass authentication, and execute arbitrary commands[^2].

The vulnerability stems from a Content-Type confusion in n8n’s Form Webhook handling, where attackers can manipulate file paths to read sensitive system files and escalate privileges[^3]. Cyera Research Labs discovered approximately 100,000 exposed servers globally are at risk[^1].

Key timeline:

  • November 9, 2025: Vulnerability reported to n8n
  • November 18, 2025: Patched in version 1.121.0
  • January 6, 2026: CVE assigned
  • January 7, 2026: Public disclosure

Censys reports 26,512 exposed n8n hosts, with most located in the US (7,079), Germany (4,280), and France (2,655)[^4].

Required actions:

  • Upgrade to version 1.121.0 or later
  • Avoid exposing n8n to the internet
  • Require authentication for all Forms
  • Rotate stored credentials and API tokens[^2]

[^1]: Cyera Research Labs - Ni8mare - Unauthenticated Remote Code Execution in n8n [^2]: Aikido - n8n Critical Vulnerability Explained [^3]: The Hacker News - Critical n8n Vulnerability Allows Unauthenticated Attackers to Take Full Control [^4]: The Hacker News - Update section on Censys findings