from Zerush@lemmy.ml to security@lemmy.ml on 08 Jan 14:15
https://lemmy.ml/post/41407671
A critical vulnerability (CVE-2026-21858) dubbed “Ni8mare” allows unauthenticated attackers to gain complete control over n8n workflow automation instances[^1]. The flaw, which received the highest CVSS score of 10.0, affects all versions prior to 1.121.0 and enables attackers to read files, bypass authentication, and execute arbitrary commands[^2].
The vulnerability stems from a Content-Type confusion in n8n’s Form Webhook handling, where attackers can manipulate file paths to read sensitive system files and escalate privileges[^3]. Cyera Research Labs discovered approximately 100,000 exposed servers globally are at risk[^1].
Key timeline:
- November 9, 2025: Vulnerability reported to n8n
- November 18, 2025: Patched in version 1.121.0
- January 6, 2026: CVE assigned
- January 7, 2026: Public disclosure
Censys reports 26,512 exposed n8n hosts, with most located in the US (7,079), Germany (4,280), and France (2,655)[^4].
Required actions:
- Upgrade to version 1.121.0 or later
- Avoid exposing n8n to the internet
- Require authentication for all Forms
- Rotate stored credentials and API tokens[^2]
[^1]: Cyera Research Labs - Ni8mare - Unauthenticated Remote Code Execution in n8n [^2]: Aikido - n8n Critical Vulnerability Explained [^3]: The Hacker News - Critical n8n Vulnerability Allows Unauthenticated Attackers to Take Full Control [^4]: The Hacker News - Update section on Censys findings
threaded - newest