A vulnerability was discovered in the workflow automation tool 'n8n' that allows attackers to execute remote code without authentication

A research team at data security platform Cyera has discovered a critical vulnerability in n8n , a no-code workflow automation tool, called ' Ni8mare ( CVE-2026-21858 ), ' which allows remote code execution without authentication.

Ni8mare - Unauthenticated Remote Code Execution in n8n (CVE-2026-21858) | Cyera Research Labs
https://www.cyera.com/research-labs/ni8mare-unauthenticated-remote-code-execution-in-n8n-cve-2026-21858

Cyera Research Labs has identified a critical vulnerability in n8n that allows unauthenticated remote code execution in locally deployed instances.

The issue, tracked as CVE-2026-21858 with a CVSS score of 10.0, enables full instance takeover.

If you are running n8n on… pic.twitter.com/9eqPw5OX75

— Cyera (@cyera_io) January 7, 2026

Unauthenticated File Access via Improper Webhook Request Handling · Advisory · n8n-io/n8n · GitHub
https://github.com/n8n-io/n8n/security/advisories/GHSA-v4pr-fm98-w9pg

Max severity Ni8mare flaw lets hackers hijack n8n servers
https://www.bleepingcomputer.com/news/security/max-severity-ni8mare-flaw-lets-hackers-hijack-n8n-servers/

n8n is an open-source workflow automation tool that allows you to integrate applications, APIs, and services into complex workflows through a visual editor. It is primarily used for task automation, and at the time of writing, it also supports integration with AI and large-scale language models.

You can find out what kind of tool n8n is by reading the following article.

I tried to create a workflow that 'outputs the title and URL of the website obtained by RSS to Google Spreadsheet' using 'n8n', which can automate multiple apps like IFTTT and Zapier - GIGAZINE

Cyera's research team has reported that they have discovered a vulnerability called 'Ni8mare' that allows attackers to access files on n8n's servers, which are the foundation of certain form-based workflows, by executing them.

Ni8mare exploits the way incoming data is processed based on the 'content-type' header configured in the webhook , which triggers events in a workflow based on specific messages. By changing the content type of the webhook request, an attacker can bypass the upload parser and read arbitrary files from the n8n instance.

This could allow an attacker to steal sensitive data stored on the instance, inject sensitive files into workflows, forge session cookies to bypass authentication, or even execute arbitrary commands.

In its vulnerability report, n8n states, 'Vulnerable workflows could grant access to an unauthenticated remote attacker, potentially leading to the disclosure of sensitive information stored on the system and potentially leading to further compromise depending on the deployment configuration and workflow usage.'

Ni8mare was reported to n8n on November 9, 2025, and fixed in n8n version 1.121.0. While there is no official workaround other than upgrading, n8n recommended limiting or disabling exposed webhook and form endpoints as a temporary workaround until an upgrade is available.