A maximum-severity vulnerability, dubbed “Ni8mare”, has been disclosed in the n8n workflow automation platform, allowing unauthenticated remote attackers to take control of vulnerable servers and expose sensitive system data.

n8n is an open-source automation tool used to connect applications, APIs, and services into dynamic workflows via a visual editor. It’s widely used for task automation, orchestration of AI/LLM calls, data ingestion, and more, with hundreds of thousands of deployments globally.

Ni8mare (CVE-2026-21858) Attack Summary

The Ni8mare flaw carries a CVSS score of 10.0 (Maximum Severity) and impacts self-hosted n8n instances that are publicly accessible or improperly configured.

What It Does?

• Unauthenticated Remote Access: Attackers can abuse the vulnerability without credentials to interact with n8n webhook endpoints.

• Bypass File Validation: Due to a content-type parsing flaw, malicious requests can bypass upload validation and let attackers control file metadata.

• Arbitrary File Access & Leakage: This enables attackers to read arbitrary files from the system — including secrets, API keys, tokens, and credentials that n8n workflows may store.

• Session Forgery & Escalation: Exploits can forge session cookies, bypass authentication checks, and potentially lead to further compromise depending on environment configurations.

Cyera researchers, who discovered the Ni8mare flaw, reported it to n8n on November 9, 2025.

Why This Matters

n8n often serves as a central automation hub for business processes, orchestrating integrations across CRM systems, databases, cloud storage, CI/CD pipelines, and AI platforms. A server compromise can thus expose critical secrets, disrupt automation workflows, and provide footholds for broader attacks.

With an estimated 100,000+ vulnerable servers globally, the potential blast radius is significant — especially in DevOps, cloud, and AI engineering environments that rely on n8n for automated workflows.

Mitigation & Recommended Actions

There is currently no official workaround beyond updating and tightening network access controls.

Detection & Indicators

Security teams should monitor for:

• Unexpected HTTP POST requests to webhook endpoints with manipulated content types.

• Signs of file access outside expected directories (e.g., /tmp, /var).

• Unauthorized session creation or unusual admin activity.

Final Thoughts

The Ni8mare vulnerability is a stark reminder that even automation platforms — often trusted implicitly inside corporate networks — can become high-impact targets when flaws exist in core input processing logic. Organizations using n8n should prioritize patching and access restrictions immediately to prevent exploitation and safeguard workflow integrity.

Disclaimer: ClearPhish maintains a strict policy of not participating in the theft, distribution, or handling of stolen data or files. The platform does not engage in exfiltration, downloading, hosting, or reposting any illegally obtained information. Any responsibility or legal inquiries regarding the data should be directed solely at the responsible cybercriminals or attackers, as ClearPhish is not involved in these activities. We encourage parties affected by any breach to seek resolution through legal channels directly with the attackers responsible for such incidents.