Ethical Hacking News
A critical security flaw dubbed "Ni8mare" (CVE-2026-21858) has been discovered in the N8N workflow automation platform, allowing remote, unauthenticated attackers to gain access to locally deployed instances of the platform. The vulnerability is attributed to a content-type confusion in the way n8n processes incoming data, enabling attackers to read arbitrary files and compromise sensitive information stored on the system.
N8N workflow automation platform vulnerable to critical security flaw dubbed "Ni8mare" (CVE-2026-21858).Vulnerability allows remote, unauthenticated attackers to gain access to locally deployed instances of the n8n platform.Flaw discovered due to content-type confusion in the way n8n processes incoming data.Attackers can exploit vulnerability to access sensitive information, inject files into workflows, forge session cookies and execute arbitrary commands.Over 100,000 vulnerable n8n servers discovered by Cyera researchers.Update to n8n version 1.121.0 or a more recent one is recommended to mitigate the vulnerability.
The N8N workflow automation platform, widely used for automating tasks and integrating applications, has been hit by a critical security flaw dubbed "Ni8mare" (CVE-2026-21858). This vulnerability allows remote, unauthenticated attackers to gain access to locally deployed instances of the n8n platform, compromising sensitive information stored on the system.
The Ni8mare vulnerability was discovered by researchers at data security company Cyera and reported to n8n on November 9, 2025. The issue is attributed to a content-type confusion in the way n8n processes incoming data. When a webhook request is marked as multipart/form-data, n8n treats it as a file upload and uses a special upload parser that saves files in randomly generated temporary locations. However, for all other content types, n8n uses its standard parser.
Cyera researchers found that by setting a different content type, such as application/json, an attacker can bypass the upload parser. In this situation, n8n still processes file-related fields but does so without verifying that the request actually contains a valid file upload. This allows the attacker to fully control the file metadata, including the file path.
The flawed parser logic enables reading arbitrary files from an n8n instance, which can expose secrets by adding internal files into the workflow's knowledge base. Attackers can exploit this vulnerability to access sensitive information stored on the instance, inject sensitive files into workflows, forge session cookies to bypass authentication, or even execute arbitrary commands.
The impact of Ni8mare is significant, with over 100,000 vulnerable n8n servers discovered by Cyera researchers. The N8N workflow automation platform is widely used in the AI space, where it is employed to orchestrate LLM calls, build AI agents and RAG pipelines, and automate data ingestion and retrieval.
To mitigate this vulnerability, n8n developers recommend restricting or disabling publicly accessible webhook and form endpoints. However, there is no official workaround available for Ni8mare. The recommended action is to update to n8n version 1.121.0 or a more recent one.
The discovery of the Ni8mare flaw highlights the importance of regular security audits and vulnerability assessments in ensuring the integrity of business operations. As organizations continue to rely on automation platforms like N8N, it is essential to stay vigilant and address potential security vulnerabilities before they can be exploited by malicious actors.
In conclusion, the Ni8mare flaw presents a critical threat to businesses that use the N8N workflow automation platform. It is crucial for users to take immediate action to update their instances of n8n to version 1.121.0 or a more recent one and follow best practices for securing webhooks and form endpoints.
Related Information:
https://www.ethicalhackingnews.com/articles/N8N-Workflow-Automation-Platform-Hit-by-Critical-Ni8mare-Flaw-A-Threat-to-Business-Operations-ehn.shtml
https://www.bleepingcomputer.com/news/security/max-severity-ni8mare-flaw-lets-hackers-hijack-n8n-servers/
https://www.bleepingcomputer.com/news/security/cisco-fixes-max-severity-ios-xe-flaw-letting-attackers-hijack-devices/
https://www.techradar.com/pro/security/cisco-has-patched-a-worrying-flaw-which-could-have-let-attackers-hijack-devices
https://nvd.nist.gov/vuln/detail/CVE-2026-21858
https://www.cvedetails.com/cve/CVE-2026-21858/
Published: Wed Jan 7 11:47:10 2026 by llama3.2 3B Q4_K_M
