Vulnerability Alert: CVE-2026-21858: Ni8mare: Unauthenticated Remote Code Execution in n8n

An unauthenticated Remote Code Execution (RCE) flaw, tracked as CVE-2026-21858 (CVSS 10.0), has been discovered in n8n, the widely-adopted workflow automation platform. 

With over 100 million Docker pulls and an estimated 100,000 locally deployed instances, this vulnerability transforms n8n from a productivity tool into a severe single point of potential failure for organizations globally.

Affected Versions

Technical Details

Dubbed "Ni8mare,” this critical vulnerability stems from a Content-Type confusion flaw during webhook request parsing, allowing attackers to:

1. Gain arbitrary read access to sensitive server-side files.
2. Extract sensitive data, including credentials and signing secrets, from the database and configuration files, allowing them to forge an administrator token.
3. Leverage the forged admin token to execute arbitrary commands on the underlying host.

How n8n Webhook Parsing Works

n8n webhooks serve as entry points for workflows, accepting data from Forms, Chat messages and external services. When a request arrives, the parseRequestBody() middleware inspects the Content-Type header to determine which parser to invoke:

• multipart/form-data → parseFormData() file upload parser using Formidable.
• All other types → parseBody() regular body parser.

The file upload parser populates req.body.files with uploaded file metadata, including randomly-generated temp paths. The regular body parser populates req.body with the decoded request body and critically, nothing prevents req.body.files from being overridden through the latter path.

Where the Vulnerability Occurs

The Form Webhook node's formWebhook() function calls prepareFormReturnItem() to process uploaded files. This function iterates over req.body.files and invokes copyBinaryFile() for each entry, copying files from the specified filepath to persistent storage.

The vulnerability: formWebhook() does not verify that the Content-Type is multipart/form-data before processing files. An attacker can:

1. Send a request with Content-Type: application/json
2. Include a crafted JSON body that overrides req.body.files
3. Control the filepath parameter to point to any local file

This grants an arbitrary file read primitive with zero authentication.

From File Read to Full Compromise

The arbitrary read primitive chains into complete server takeover through n8n's session architecture:

1. Database Extraction: Read /home/node/.n8n/database.sqlite to obtain user IDs, emails, and password hashes.
2. Key Extraction: Read /home/node/.n8n/config to obtain the JWT signing secret.
3. Session Forgery: Craft a valid n8n-auth cookie using extracted credentials and the signing key.
4. Code Execution: Create a workflow with an "Execute Command" node.

Any n8n instance with a Form node exposed to untrusted users is vulnerable.

Impact

A compromised n8n instance grants attackers access to:

• All stored credentials: OAuth tokens, API keys, database passwords stored in workflows.
• Connected systems: Google Drive, Salesforce, Slack, CI/CD pipelines, payment processors.
• Underlying infrastructure: Full shell access to the host server.
• Lateral movement: Access to internal networks and services to which n8n is connected to.

The blast radius is amplified by n8n's role as an integration hub, organizations using it as their automation backbone face exposure across their entire connected ecosystem.

Context: n8n's Critical Vulnerability Streak

CVE-2026-21858 arrives amid an unprecedented cluster of critical n8n vulnerabilities disclosed in the past two weeks:

This pattern underscores systemic security challenges in n8n's architecture, particularly around its file handling, sandbox isolation, and authentication boundaries.

Mitigation

Immediate Actions

• Upgrade immediately: Update all n8n instances to version 1.121.0 or later.
• Restrict network access: Block public access to n8n instances pending patch.
• Monitor for exploitation: Implement logging and alerting for Form webhook access patterns.

Why This Matters

The Integration Hub Risk

n8n's value proposition, connecting everything, becomes its greatest liability when compromised. Unlike traditional vulnerabilities affecting a single application, exploiting n8n provides attackers with pre-authenticated access to every connected service: cloud storage, communication platforms, databases, CI/CD pipelines and financial systems.

Runtime Visibility Gap

This vulnerability illustrates why static scanning alone cannot surface all exploitable conditions. The dangerous behavior only becomes apparent when analyzing actual execution paths. Traditional SCA tools identify vulnerable packages; runtime analysis reveals which vulnerabilities are actually reachable and exploitable in production.

How Kodem Protects Customers

• Runtime validation: Kodem Runtime Intelligence™ uses eBPF sensors combined with memory analysis to identify which vulnerable packages are actually loaded and executed in production, distinguishing real risk from dormant dependencies.
• Dependency tracing: Full transitive dependency chains show exactly how vulnerable packages like n8n enter your environment, across all sources and manifest files.
• Verified remediation:Kodem Remediation provides specific upgrade paths validated against your codebase, showing the minimum version update required for each affected source.
• Prioritization Through Evidence: Teams focus exclusively on vulnerabilities with proof of runtime execution rather than investigating every theoretical CVE.

References

1. Attias, D. (2026, January 7). Ni8mare - Unauthenticated Remote Code Execution in n8n (CVE-2026-21858). Cyera Research Labs. https://www.cyera.com/research-labs/ni8mare-unauthenticated-remote-code-execution-in-n8n-cve-2026-21858‍
2. n8n Security Team. (2026, January 6). GHSA-v4pr-fm98-w9pg: Unauthenticated remote code execution via form-based workflows. GitHub Security Advisory. https://github.com/n8n-io/n8n/security/advisories/GHSA-v4pr-fm98-w9pg‍
3. Lakshmanan, R. (2026, January 7). Critical n8n Vulnerability (CVSS 10.0) Allows Unauthenticated Attackers to Take Full Control. The Hacker News. https://thehackernews.com/2026/01/critical-n8n-vulnerability-cvss-100.html‍
4. n8n. (2025). Webhook Node Documentation. n8n Docs. https://docs.n8n.io/integrations/builtin/core-nodes/n8n-nodes-base.webhook/