TLP:CLEAR-[ngCERT SECURITY ADVISORY ON CRITICAL NI8MARE VULNERABILITY AFFECTING N8N WORKFLOW AUTOMATION PLATFORM]

Advisory ID:   ngCERT-2026-010001

SUMMARY

ngCERT is aware of a critical remote code execution (RCE) vulnerability nicknamed Ni8mare, affecting the popular n8n open-source workflow automation platform. The Vulnerability with CVE-2026-21858 and a critical CVSS score of 10.0 allows unauthorised remote attackers to fully compromise vulnerable instances, often without any interaction by legitimate users. The vulnerability stems from improper request parsing and Content-Type handling in form/webhook workflows. A specific logic bug allows crafted HTTP requests to bypass input validation, thereby exposing sensitive configuration files, credentials, and other confidential data on the underlying server. This vulnerability affects older versions of the n8n workflow automation platform. Organisations and businesses utilising this platform are strongly advised to immediately patch to version 1.121.0 or higher, coupled with access restrictions and monitoring for signs of exploitation.

Damage:      Critical (CVSS: 10.0)

Probability:  High

Platform(s):  n8n AI Automation Software

DESCRIPTION

ngCERT is aware of a critical remote code execution (RCE) vulnerability nicknamed Ni8mare, affecting the popular n8n open-source workflow automation platform. The Vulnerability with CVE-2026-21858 and a critical CVSS score of 10.0 allows unauthorised remote attackers to fully compromise vulnerable instances, often without any interaction by legitimate users. The vulnerability stems from improper request parsing and Content-Type handling in form/webhook workflows. A specific logic bug allows crafted HTTP requests to bypass input validation, thereby exposing sensitive configuration files, credentials, and other confidential data on the underlying server. This vulnerability affects older versions of the n8n workflow automation platform. Organisations and businesses utilising this platform are strongly advised to immediately patch to version 1.121.0 or higher, coupled with access restrictions and monitoring for signs of exploitation.

CONSEQUENCES

Successful exploitation of Ni8mare vulnerability may lead to:

1. Unauthenticated Remote Code Execution (RCE).
2. Full Server Compromise.
3. Sensitive Data Exposure.
4. Administrator Session Forging.

SOLUTION/MITIGATION

Organisations are strongly advised to apply these mitigations:

1. Isolate n8n services network-wise from critical systems where possible.
2. Review automated workflow designs for overly broad input acceptance.
3. Avoid exposing n8n instances to the public internet unless necessary and restrict access via firewalls, VPN, or internal networks.
4. Require authentication for all forms and webhook endpoints, and temporarily disable or block publicly accessible webhook/form endpoints until patched.
5. Patch/Upgrade. Upgrade n8n to version 1.121.0 or later.
6. Review and rotate all sensitive secrets stored in n8n (API keys, tokens, encryption secrets) if exposure is suspected.
7. Monitor logs and network activity for unusual access patterns and implement intrusion detection or web application firewall rules tailored to n8n webhook traffic anomalies (e.g., malformed Content-Type requests).

HYPERLINK

• https://censys.com/advisory/cve-2026-21858
• https://www.tenable.com/cve/CVE-2026-21858
• https://www.picussecurity.com/resource/blog/ni8mare-n8n-cve-2026-21858-remote-code-execution-vulnerability-explained