CVE-2026-21858 (“Ni8mare”): Unauthenticated Remote Code Execution in n8n Automation Platform

A newly disclosed critical vulnerability, CVE-2026-21858, impacts the widely used open-source workflow automation platform n8n, exposing self-hosted instances to unauthenticated remote code execution (RCE) and potential full system takeover. This flaw — nicknamed “Ni8mare” — has been assigned a maximum CVSS score of 10.0, reflecting its severe impact on confidentiality, integrity, and availability.

The vulnerability originates from a Content-Type confusion issue in the n8n webhook and file-handling logic. Because n8n handles inbound webhook requests — often used for form submissions and external integrations — attackers can supply malformed requests that override internal structures, enabling arbitrary file access on the host system. This can expose sensitive tokens, database files, configuration secrets, and administrative credentials.

Once attackers gain unauthorized access to internal components and credentials, they can forge valid sessions and escalate privileges, ultimately achieving remote code execution by creating malicious workflows that execute system commands through n8n’s automation nodes.

The flaw affects all n8n versions prior to 1.121.0 and has been patched in that release and later versions. Because many deployments remain self-hosted and reachable over the internet, organizations must urgently update to patched versions, restrict public exposure of n8n endpoints, and closely monitor webhook traffic to prevent exploitation.