Ni8mare Vulnerability Allows Attackers to Hijack n8n Servers, Exploit Publicly Released

A critical vulnerability in n8n, the widely-adopted workflow automation platform, exposes an estimated 100,000 globally-deployed instances to complete compromise.

Researchers have disclosed the flaw tracked as CVE-2026-21858, which carries a perfect CVSS score of 10.0 alongside a working proof-of-concept exploit, leaving administrators scrambling to patch.

The vulnerability stems from a content-type confusion bug in n8n’s webhook request parsing logic.

By manipulating HTTP headers, unauthenticated attackers can read arbitrary files from affected systems, forge administrator authentication tokens, and execute arbitrary code with full server privileges.

The n8n security team has confirmed the issue and released patches in version 1.121.0 and later. No workarounds exist for older versions.

CVE Details	Information
CVE ID	CVE-2026-21858
CVSS Score	10.0 (Critical)
Attack Vector	Network / Unauthenticated
Impact	Complete Server Takeover
Affected Versions	n8n < 1.121.0
Fixed Versions	1.121.0+
Exploit Status	Public PoC Available
Vulnerable Hosts (Shodan)	~26,512 exposed instances

The Vulnerability Mechanics

The flaw resides in n8n’s webhook middleware, which dynamically routes incoming requests based on the HTTP Content-Type header.

When a request declares multipart/form-data, n8n invokes Formidable, a Node.js library that securely parses file uploads.

However, for other content types, n8n uses a generic body parser that populates the req.body global variable with raw request data.

The critical issue: the Form webhook node responsible for handling user uploads in workflows fails to validate the Content-Type header before processing files.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyber Press as a Preferred Source in Google.

The post Ni8mare Vulnerability Allows Attackers to Hijack n8n Servers, Exploit Publicly Released appeared first on Cyber Security News.