What Happened
A critical vulnerability in the popular n8n workflow automation platform tracked as CVE-2026-21858 and assigned a CVSS score of 10.0 can allow unauthenticated attackers to compromise locally deployed n8n instances.
What It Is
The flaw, dubbed Ni8mare, is caused by improper handling of webhook or form requests, where n8n's file-processing code is invoked without confirming the expected content type. The issue was disclosed by researchers at Cyera. This oversight can be abused to read arbitrary files from the filesystem, expose stored secrets such as API keys and credentials, and potentially inject malicious artefacts into workflows.
Who Is Affected
All n8n deployments running versions prior to 1.121.0 remain vulnerable until upgraded. Both self-hosted and internetaccessible instances are at risk.
How It Works
An attacker can send specially crafted webhookstyle requests that trigger the flawed parser logic. Because n8n fails to enforce the expected multipart content type, the server processes the payload in a way that allows control over file metadata and access to sensitive resources.
What To Do
- Upgrade immediately to n8n version 1.121.0 or later to remediate the vulnerability.
- Restrict or disable publicly reachable webhook and form endpoints to minimise exposure.
- Where possible, limit who can trigger webhook endpoints and place them behind authentication or network access controls.
Why It Matters
Given the flaw's severity and the ease with which it can be triggered by unauthenticated actors, any public n8n server should be patched without delay. The risk includes data disclosure, secret theft, and potential workflow tampering.
Conclusion
The Ni8mare vulnerability poses a serious threat to n8n users, but the required mitigation is straightforward: upgrade to version1.121.0 or newer and tighten control over public webhook and form endpoints. Keeping the platform uptodate and limiting unnecessary exposure will help protect workflows and the sensitive data they handle.