Skip to content
Contact us

Critical Vulnerabilities in n8n Workflow Automation Platform

Picture of The 1898 & Co. Team

Recent disclosures have highlighted a series of critical vulnerabilities in the n8n workflow automation platform, with the most severe being CVE-2026-21858, dubbed "Ni8mare." This vulnerability, discovered by Cyera Research Labs, allows unauthenticated remote attackers to gain full control over affected instances. The flaw exploits a "Content-Type" confusion in n8n's webhook and file handling mechanism, potentially exposing sensitive information and enabling further system compromise. This vulnerability affects all versions up to 1.65.0 and has been addressed in version 1.121.0.

In addition to Ni8mare, three other critical vulnerabilities have been identified in n8n over the past two weeks. These include CVE-2025-68613 and CVE-2025-68668, both with a CVSS score of 9.9, which allow for remote code execution and command execution on the host system under certain conditions. Another vulnerability, CVE-2026-21877, also scored at 10.0, involves unrestricted file uploads that could lead to full system compromise. These vulnerabilities have been fixed in subsequent updates, with the latest versions being 1.123.10, 2.1.5, 2.2.4, and 2.3.0.

The impact of these vulnerabilities is significant, as n8n serves as a central hub for API credentials, OAuth tokens, database connections, and cloud storage access. A compromised instance could lead to widespread data breaches and operational disruptions. With over 26,000 exposed n8n hosts globally, primarily in the U.S., Germany, France, Brazil, and Singapore, the potential for exploitation is considerable.

Threats and Vulnerabilities

CVE-2026-21858 (Ni8mare) is a maximum-severity vulnerability that allows unauthenticated attackers to exploit a "Content-Type" confusion flaw in n8n's webhook mechanism. This flaw enables attackers to extract sensitive secrets, forge administrator access, and execute arbitrary commands on the server. The vulnerability affects all versions up to 1.65.0 and has been patched in version 1.121.0.

CVE-2025-68613 involves improper control of dynamically-managed code resources, allowing authenticated attackers to achieve remote code execution under specific conditions. This vulnerability has been fixed in versions 1.120.4, 1.121.1, and 1.122.0.

CVE-2025-68668 (N8scape) is a sandbox bypass vulnerability that permits authenticated users with workflow modification permissions to execute arbitrary commands on the host system running n8n. This issue has been resolved in version 2.0.0.

CVE-2026-21877 is an unrestricted file upload vulnerability that allows authenticated attackers to execute untrusted code via the n8n service, leading to full compromise of the instance. The fix is available in version 1.121.3.

Client Impact

The identified vulnerabilities pose significant risks to clients using n8n for workflow automation. Exploitation could lead to operational disruptions due to unauthorized access and control over systems. Data breaches are a major concern, as attackers could access sensitive information such as API credentials and database connections stored within n8n instances.

Financial consequences may arise from potential data loss or theft, impacting business operations and customer trust. Additionally, organizations could face reputation damage if breaches become public knowledge or result in customer data exposure.

From a compliance perspective, these vulnerabilities could lead to regulatory challenges if sensitive data is compromised or if systems fail to meet security standards required by industry regulations such as GDPR or HIPAA.

Mitigations

To mitigate the risks associated with these vulnerabilities, clients are advised to take the following actions:

  1. Upgrade n8n to version 1.121.0 or later immediately to address CVE-2026-21858.
  2. Apply patches for other identified vulnerabilities by updating to the latest available versions.
  3. Avoid exposing n8n instances directly to the internet to reduce attack surface.
  4. Enforce authentication for all Forms and restrict access to webhook endpoints.
  5. Regularly review and update security configurations for n8n deployments.
  6. Monitor network traffic for unusual activity that may indicate exploitation attempts.
  7. Implement network segmentation to limit access to critical systems and data.

By following these steps, organizations can significantly reduce their exposure to these vulnerabilities and enhance their overall security posture.

1898 & Co. Response

1898 & Co. is actively addressing the current threat landscape by offering specialized services designed to mitigate risks associated with workflow automation platforms like n8n. Our team provides thorough security assessments and patch management solutions to ensure clients are protected against emerging threats.

We have updated our security protocols to incorporate the latest threat intelligence related to n8n vulnerabilities and are collaborating with industry allies to share insights and best practices for securing automation platforms.

Our ongoing research efforts focus on identifying potential vulnerabilities in similar systems and developing proactive measures to safeguard client environments. We offer tailored consulting services to help organizations implement robust security controls and maintain compliance with relevant regulations.

Source

  1. CVE Details for CVE-2026-21858