A maximum severity vulnerability dubbed “Ni8mare” allows remote, unauthenticated attackers to take control over locally deployed instances of the N8N workflow automation platform.

The security issue is identified as CVE-2026-21858 and has a 10 out of 10 severity score. According to researchers at data security company Cyera, there are more than 100,000 vulnerable n8n servers.

n8n is an open-source workflow automation tool that allows users to connect applications, APIs, and services into complex workflows via a visual editor. It is primarily used to automate tasks and supports integrations with AI and large language model (LLM) services.

It has over 50,000 weekly downloads on npm and more than 100 million pulls on Docker Hub. It is a popular tool in the AI space, where it is used to orchestrate LLM calls, build AI agents and RAG pipelines, and automate data ingestion and retrieval.

Ni8mare details

The Ni8mare vulnerability gives an attacker access to files on the underlying server by executing certain form-based workflows.

“A vulnerable workflow could grant access to an unauthenticated remote attacker. This could result in exposure of sensitive information stored on the system and may enable further compromise depending on deployment configuration and workflow usage,” n8n developers say.

Cyera researchers discovered the Ni8mare vulnerability (CVE-2026-21858) and reported it to n8n on November 9, 2025. They say that the security issue is a content-type confusion in the way n8n parses data.

n8n uses two functions to process incoming data based on the ‘content-type’ header configured in a webhook, the component that triggers events in a workflow by listening for specific messages.

When the webhook request is marked as multipart/form-data, n8n treats it as a file upload and uses a special upload parser that saves files in randomly generated temporary locations.

“This means users can’t control where files end up, which protects against path traversal attacks.”

However, for all other content types, n8n uses its standard parser instead.

Cyera found that by setting a different content type, such as application/json, an attacker can bypass the upload parser.

In this situation, n8n still processes file-related fields but does so without verifying that the request actually contains a valid file upload. This allows the attacker to fully control the file metadata, including the file path.

“Since this function is called without verifying the content type is multipart/form-data, we control the entire req.body.files object. That means we control the filepath parameter – so instead of copying an uploaded file, we can copy any local file from the system,” explains Cyera.

This allows reading arbitrary files from an n8n instance, which can expose secrets by adding internal files into the workflow’s knowledge base.

Cyera says this can be abused to expose secrets stored on the instance, inject sensitive files into workflows, forge session cookies to bypass authentication, or even execute arbitrary commands.

Cyera emphasizes that n8n often stores API keys, OAuth tokens, database credentials, cloud storage access, CI/CD secrets, and business data, making it a central automation hub.

n8n developers say that there is no official workaround available for Ni8mare, but one mitigation is to restrict or disable publicly accessible webhook and form endpoints.

The recommended action is to update to n8n version 1.121.0 or a more recent one.