Ethical Hacking News
A critical vulnerability has been discovered in the popular automation platform n8n, leaving an estimated 100,000 servers exposed to unauthenticated server takeover. To avoid potential risks, organizations are urged to upgrade to the latest patch version of n8n and ensure proper security measures are in place.
An unauthenticated server takeover vulnerability was discovered in n8n, allowing an attacker to execute arbitrary code on vulnerable systems. The vulnerability, tracked as CVE-2026-21858, carries a CVSS score of 10.0 and has been dubbed "ni8mare". A fix is available in n8n version 1.121.0 or later, and users are urged to upgrade. The vulnerability lies in how n8n processes webhooks, allowing an attacker to manipulate HTTP headers and overwrite internal variables. A compromised n8n instance can grant attackers access to sensitive data and systems, including API credentials, OAuth tokens, and cloud storage.
Critical n8n bug allows unauthenticated server takeover • The Register
The recent discovery of a critical vulnerability in the popular automation platform n8n has left an estimated 100,000 servers wide open to complete takeover, courtesy of a flaw so bad it doesn't even require logging in. The vulnerability, uncovered by researchers at security outfit Cyera, carries a CVSS score of 10.0 and has been dubbed "ni8mare" for good reason.
Tracked as CVE-2026-21858, the flaw allows an unauthenticated attacker to execute arbitrary code on vulnerable systems, effectively handing over complete control of the affected environment. There is no workaround other than patching, and users are urged to upgrade to n8n version 1.121.0 or later.
N8n is a self-hosted, open source automation tool that many organizations use to stitch together chat apps, forms, cloud storage, databases, and third-party APIs. It claims more than 100 million Docker pulls, with millions of users and thousands of companies using it to automate everything from internal workflows to customer-facing processes.
According to Cyera, the root of the problem lies in how n8n processes webhooks – the mechanism used to kick off workflows when data arrives from external systems such as web forms, messaging platforms, or notification services. By abusing a so-called "Content-Type Confusion" issue, an attacker can manipulate HTTP headers to overwrite internal variables used by the application. That, in turn, allows them to read arbitrary files from the underlying system and escalate the attack to full remote code execution.
Exploit
The discovery of this vulnerability has significant implications for organizations that rely on n8n to manage their digital infrastructure. As Cyera researcher Dor Attias put it: "Imagine a large enterprise with 10,000+ employees with one n8n server that anyone uses. A compromised n8n instance doesn't just mean losing one system – it means handing attackers the keys to everything. API credentials, OAuth tokens, database connections, cloud storage – all centralized in one place."
The blast radius of a compromised n8n is massive. N8n is connecting countless systems, your organizational Google Drive, OpenAI API keys, Salesforce data, IAM systems, payment processors, customer databases, CI/CD pipelines, and more. It's the central nervous system of your automation infrastructure.
Cyera credits n8n with responding quickly once the issue was disclosed. The company says it privately reported the vulnerability on November 9, 2025, and n8n's security team confirmed the issue the following day. A fix was quietly shipped on November 18 as part of the 1.121.0 release, weeks before the bug was publicly assigned a CVE identifier this week.
N8n did not immediately respond to The Register's questions.
The patch landed with little fanfare, which means some organizations may still be running vulnerable versions – particularly in self-hosted environments where upstream advisories don't always get read. Given how widely the software is used, leaving it unpatched is an open invitation for attackers pursuing quick, high-value targets.
In light of this vulnerability, it is imperative that organizations take immediate action to address the issue. This includes upgrading to the latest patch version and ensuring that all instances of n8n are properly secured. The consequences of inaction could be severe, as a successful attack on n8n could have far-reaching implications for an organization's digital infrastructure.
Furthermore, this vulnerability serves as a stark reminder of the importance of prioritizing security in the adoption and deployment of automation tools like n8n. As the use of automation platforms continues to grow, it is essential that developers and organizations alike take proactive steps to identify and address vulnerabilities before they can be exploited.
In conclusion, the recent discovery of this critical vulnerability in the n8n platform highlights the need for vigilance and proactive security measures when working with automation tools. Organizations must take immediate action to patch their systems and ensure the integrity of their digital infrastructure.
Related Information:
https://www.ethicalhackingnews.com/articles/N8n-Automation-Platform-Vulnerability-Exposes-100000-Servers-to-Unauthenticated-Server-Takeover-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2026/01/08/n8n_rce_bug/
https://nvd.nist.gov/vuln/detail/CVE-2026-21858
https://www.cvedetails.com/cve/CVE-2026-21858/
https://www.infosecurityeurope.com/en-gb/blog/threat-vectors/understanding-threat-actor-naming-conventions.html
https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/
Published: Thu Jan 8 06:08:35 2026 by llama3.2 3B Q4_K_M
