By rssfeeds-admin 
Researchers have disclosed the flaw tracked as CVE-2026-21858, which carries a perfect CVSS score of 10.0 alongside a working proof-of-concept exploit, leaving administrators scrambling to patch.
The vulnerability stems from a content-type confusion bug in n8n’s webhook request parsing logic.
By manipulating HTTP headers, unauthenticated attackers can read arbitrary files from affected systems, forge administrator authentication tokens, and execute arbitrary code with full server privileges.
The n8n security team has confirmed the issue and released patches in version 1.121.0 and later. No workarounds exist for older versions.
| CVE Details | Information |
|---|---|
| CVE ID | CVE-2026-21858 |
| CVSS Score | 10.0 (Critical) |
| Attack Vector | Network / Unauthenticated |
| Impact | Complete Server Takeover |
| Affected Versions | n8n < 1.121.0 |
| Fixed Versions | 1.121.0+ |
| Exploit Status | Public PoC Available |
| Vulnerable Hosts (Shodan) | ~26,512 exposed instances |
The Vulnerability Mechanics
The flaw resides in n8n’s webhook middleware, which dynamically routes incoming requests based on the HTTP Content-Type header.
When a request declares multipart/form-data, n8n invokes Formidable, a Node.js library that securely parses file uploads.
However, for other content types, n8n uses a generic body parser that populates the req.body global variable with raw request data.
The critical issue: the Form webhook node responsible for handling user uploads in workflows fails to validate the Content-Type header before processing files.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyber Press as a Preferred Source in Google.
The post Ni8mare Vulnerability Allows Attackers to Hijack n8n Servers, Exploit Publicly Released appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.