alt=”” border=”0″ data-original-height=”470″ data-original-width=”900″ />Cybersecurity experts have unveiled details of a critical security vulnerability in the widely used workflow automation platform, n8n, which could potentially grant unauthorized remote access to vulnerable instances.
The flaw, identified as CVE-2026-21858 with a severity score of 10.0, has been named Ni8mare by Cyera Research Labs. Dor Attias, a security researcher, is credited with the discovery of this vulnerability on November 9, 2025.
n8n released an advisory stating, “A vulnerability in n8n allows an attacker to access files on the underlying server through the execution of specific form-based workflows. A susceptible workflow could provide access to an unauthenticated remote attacker, potentially leading to the exposure of sensitive information and further compromise based on deployment configuration and workflow usage.”
Over the past two weeks, n8n has disclosed four critical vulnerabilities, including CVE-2025-68613, CVE-2025-68668 (N8scape), and CVE-2026-21877. However, the latest vulnerability, CVE-2026-21858, stands out as it does not require any credentials and exploits a Content-Type confusion flaw to extract sensitive data, manipulate administrator access, and execute arbitrary commands on the server.
The vulnerability impacts all n8n versions up to and including 1.65.0. A fix has been implemented in version 1.121.0, which was released on November 18, 2025. Notably, the current versions of the software are 1.123.10, 2.1.5, 2.2.4, and 2.3.0.
According to insights shared by Cyera with The Hacker News, the vulnerability is rooted in the n8n webhook and file handling mechanism. The flaw arises when a file-handling function is executed without validating that the content-type is “multipart/form-data,” potentially allowing an attacker to manipulate req.body.files.
Attias explained, “Since this function is called without verifying the content type is ‘multipart/form-data,’ we control the entire req.body.files object. This means we control the filepath parameter, enabling us to copy any local file from the system.”
The severity of the vulnerability underscores the importance of upgrading to the patched version promptly, avoiding exposing n8n to the internet, and enforcing authentication for all Forms. Additionally, restricting or disabling publicly accessible webhook and form endpoints can serve as temporary mitigation measures.
