Ethical Hacking News
A newly discovered vulnerability in the N8N workflow automation platform has been found to allow unauthenticated attackers to gain full control over instances. The Ni8mare vulnerability can compromise sensitive data and expose system files, making it a critical issue for organizations that use cloud-based business applications.
Ni8n workflow automation platform is vulnerable to an unauthenticated attack that can compromise instances and expose sensitive data. The vulnerability, dubbed Ni8mare, allows unauthenticated attackers to fully take control of affected instances. Unauthenticated attackers can access server files and expose sensitive data stored on the system through a critical n8n flaw (CVE-2026-21858, CVSS 10.0). The vulnerability stems from how n8n Webhooks handle uploaded data, allowing attackers to trick the platform into copying arbitrary local system files. Organizations that use Ni8n must ensure they are running version 1.121.0 or later, as it includes fixes for this critical flaw.
Ni8n, a workflow automation platform designed for technical teams, has been found to be vulnerable to an unauthenticated attack that can compromise instances and expose sensitive data. The vulnerability, dubbed Ni8mare by Cyera researchers who discovered it, allows unauthenticated attackers to fully take control of affected instances.
A critical n8n flaw (CVE-2026-21858, CVSS 10.0), the Ni8mare vulnerability lets unauthenticated attackers access server files and expose sensitive data stored on the system. The vulnerability stems from how n8n Webhooks handle uploaded data. In order for an attacker to exploit this vulnerability, they would need to send a request with a different Content-Type (e.g., JSON) than what is expected.
According to the advisory, if a file-handling workflow does not verify the Content-Type before processing files, it can allow an attacker to manually define req.body.files. This feature allows attackers to trick n8n into copying any local system file instead of a legitimate upload. The files that are copied can then be processed by downstream nodes and exposed through workflows such as chat or knowledge-base.
The Ni8mare vulnerability enables escalation from arbitrary file read to full RCE in n8n. n8n stores auth sessions in an n8n-auth cookie, built from user data (ID, partial password hash) and signed with a local secret key. With arbitrary file read, an attacker can extract the local SQLite database (containing user records) and the config file holding the signing secret.
Using these, they can forge a valid admin session cookie and bypass authentication. Once logged in as admin, the attacker can create a workflow using the “Execute Command” node, achieving remote code execution on the n8n instance.
The vulnerability affects all versions of n8n prior to and including 1.65.0, and it was fixed in n8n version 1.121.0 in November 2025.
The Ni8mare vulnerability highlights a critical flaw in cloud-based business applications that can expose sensitive data and allow attackers to gain full control over instances. This case serves as a reminder of the importance of regular software updates and proper security configurations for workflow automation platforms.
In December, researchers warned that another critical vulnerability, tracked as CVE-2025-68613 (CVSS score of 9.9), in the n8n workflow automation platform could allow attackers to achieve arbitrary code execution under certain circumstances.
The discovery of the Ni8mare vulnerability emphasizes the need for organizations to prioritize their security posture and keep their software up-to-date. Organizations that use the n8n workflow automation platform must ensure they are running the latest version of the software, which includes fixes for this critical flaw.
In conclusion, the Ni8mare vulnerability in the n8n workflow automation platform highlights a critical flaw in cloud-based business applications. The vulnerability allows unauthenticated attackers to access server files and expose sensitive data, making it crucial for organizations to prioritize their security posture and keep their software up-to-date.
Related Information:
https://www.ethicalhackingnews.com/articles/N8n-Workflow-Automation-Platform-Vulnerability-Exposed-A-Critical-Flaw-in-Cloud-Based-Business-Applications-ehn.shtml
https://securityaffairs.com/186648/security/ni8mare-flaw-gives-unauthenticated-control-of-n8n-instances.html
https://www.bleepingcomputer.com/news/security/max-severity-ni8mare-flaw-lets-hackers-hijack-n8n-servers/
https://nvd.nist.gov/vuln/detail/CVE-2026-21858
https://www.cvedetails.com/cve/CVE-2026-21858/
https://nvd.nist.gov/vuln/detail/CVE-2025-68613
https://www.cvedetails.com/cve/CVE-2025-68613/
https://breach-hq.com/threat-actors
https://www.netmaker.io/resources/apt-groups
https://hoploninfosec.com/n8n-authenticated-remote-code-execution-vulnerability
https://github.com/n8n-io/n8n/security/
Published: Wed Jan 7 16:20:16 2026 by llama3.2 3B Q4_K_M
