A critical-severity vulnerability within the n8n workflow automation platform permits attackers to take over susceptible cases, information safety agency Cyera warns.
n8n has over 100 million Docker pulls, supplies quite a few integrations and a drag-and-drop interface, and is utilized by hundreds of enterprises.
Tracked as CVE-2026-21858 (CVSS rating 10/10), the newly disclosed n8n vulnerability impacts the platform’s webhook and file-handling logic and will result in unauthenticated entry to arbitrary information.
“A vulnerability in n8n permits an attacker to entry information on the underlying server via execution of sure form-based workflows. A susceptible workflow may grant entry to an unauthenticated distant attacker,” n8n’s advisory reads.
In keeping with Cyera Analysis Labs researcher Dor Attias, who was credited for locating the bug and named it Ni8mare, the problem is a Content material-Kind confusion, resulting in n8n calling the improper parser when an attacker modifications the content material kind.
As a result of the operate that copies a file from its momentary file to persistent storage is known as with out verifying the content material kind, an attacker can management the filepath parameter and duplicate any native file as a substitute of an uploaded file.Commercial. Scroll to proceed studying.
The safety defect, Attias explains, can permit attackers to extract delicate info and use it to utterly compromise an n8n occasion.
He first intercepted the HTTP request despatched when importing a file utilizing the Kind node, which is the interface that permits customers to work together with workflows.
Subsequent, Attias modified the content material kind and crafted the request physique to regulate the filepath, permitting him to load the inner “passwd” file into the organizational information base.
“To retrieve the content material of that inside file, all we have to do is ask about it via the chat interface,” he notes.
The bug could be additional exploited for code execution, Attias says.
An attacker can set off it to load n8n’s total database and its configuration file to retrieve delicate info, permitting them to forge a session cookie and log in as administrator. Then, they merely create a brand new workflow for command execution.
“The blast radius of a compromised n8n is huge. n8n connects numerous methods, your organizational Google Drive, OpenAI API keys, Salesforce information, IAM methods, fee processors, buyer databases, CI/CD pipelines, and extra,” Attias explains.
The vulnerability was addressed in n8n model 1.121.0, which was launched on November 18, 2025.
All internet-facing n8n cases are susceptible to full takeover and needs to be patched as quickly as doable, particularly now that Cyera has revealed technical particulars on how it may be triggered.
“No official workarounds can be found. As a short lived mitigation, customers might prohibit or disable publicly accessible webhook and kind endpoints till upgrading,” n8n notes.
Associated: Important HPE OneView Vulnerability Exploited in Assaults
Associated: Important Dolby Vulnerability Patched in Android
Associated: Fortinet Warns of New Assaults Exploiting Previous Vulnerability
Associated: UEFI Vulnerability in Main Motherboards Allows Early-Boot Assaults
