A severe unauthenticated remote code execution (RCE) vulnerability nicknamed “Ni8mare” has been discovered in the n8n workflow automation platform. This flaw, tracked as CVE-2026-21858, allows attackers to take full control of vulnerable n8n instances without needing credentials. Read this Cybersecurity Threat Advisory now to mitigate your risk.
What is the threat?
Ni8mare is a Content-Type confusion bug in n8n caused by the data handling of parseRequestBody() middleware. Here’s what happens:
- When requests use
multipart/form-data, n8n securely processes files with random, safe paths. - If an attacker sends a different Content-Type (e.g.,
application/json), n8n uses a generic parser that trusts user input. This lets attackers inject arbitrary file paths intoreq.body.files.
Why is it noteworthy?
This vulnerability is particularly concerning due to the following factors:
- No authentication required – Anyone can exploit it.
- Full remote code execution – Complete control of the host.
- High-value secrets exposed – API tokens, cloud credentials, database passwords.
- Internet-facing risk – Many n8n instances are public for webhook use.
- Supply chain impact – Compromised workflows can trigger malicious actions across connected services.
What is the exposure or risk?
A successful attack could lead to complete environment compromise, unauthorized access to third-party platforms, business disruption, and potential regulatory or compliance exposure.
Organizations may be at increased risk if they:
- Run n8n versions starting at 1.65.0 or below 1.121.0
- Expose n8n to the internet
- Use n8n for cloud, DevOps, or sensitive workflows
- Store plaintext credentials in workflows
- Run n8n with excessive privileges
- Haven’t applied the latest security patches
What are the recommendations?
Barracuda recommends the following actions to secure your environment:
- Update immediately to n8n v1.121.0 or later (fix included)
- Restrict external access using firewalls, VPNs, or IP allowlists
- Enable authentication and avoid public unauthenticated access
- Rotate all stored credentials (API keys, tokens, passwords)
- Audit workflows for unauthorized changes
- Run with least privilege (avoid root or overly permissive containers)
- Monitor logs for suspicious activity
- Check webhook requests for
application/jsoninstead of expectedmultipart/form-data - Track file integrity for sensitive files like
/root/.n8n/database.sqliteand.n8n/config - Audit sessions for unusual admin logins or forged cookies
- Review workflows for nodes like “Execute Command” or “Code” with sandbox escape patterns (e.g.,
process.mainModule.require)
References
For more in-depth information about the recommendations, please visit the following links:
- Ni8mare – Unauthenticated Remote Code Execution in n8n (CVE-2026-21858) | Cyera Research LabsCritical Vulnerability Exposes n8n Instances to Takeover Attacks – SecurityWeek
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.