Critical 2026 n8n Vulnerability Lets Attackers Remotely Execute Code Without Credentials
Executive Summary
In early January 2026, security researchers disclosed CVE-2026-21858 ("Ni8mare"), a critical (CVSS 10.0) vulnerability in the n8n workflow automation platform. Affecting versions up to 1.65.0, the flaw allows unauthenticated remote attackers to exploit the application's "Content-Type" processing logic, enabling arbitrary file reads and ultimately granting full system takeover by escalating to remote code execution (RCE). Attackers can leverage exposed n8n instances, retrieve sensitive admin credentials, forge session tokens, and create malicious workflows to execute system commands. Globally, over 26,000 systems were identified as potentially exposed at disclosure time, many internet-accessible, posing grave risk to organizations running n8n.
This incident underscores a growing trend in supply chain and automation-tool attacks, where threat actors exploit complex integrations and insufficient access controls. The prevalence of automation platforms as central hubs for organizational secrets intensifies the impact radius. The urgent need to patch, limit internet exposure, and apply zero trust controls remains critical to prevent similar high-impact breaches.
Why This Matters Now
n8n's popularity in automating business processes makes its vulnerabilities particularly attractive to cybercriminals. With thousands of unpatched, internet-facing instances worldwide, this exploit offers attackers a turnkey method to compromise sensitive infrastructure, exfiltrate credentials, and pivot within organizations, magnifying urgency for immediate remediation and improved detection.
Attack Path Analysis
An unauthenticated attacker exploited CVE-2026-21858 in exposed n8n instances by submitting a crafted web request, bypassing authentication via Content-Type confusion. Using arbitrary file read, the attacker extracted sensitive admin secrets and credentials, escalating privileges to full admin access. With admin control, the attacker leveraged workflow creation features to establish persistence and potentially pivot inside the environment. Command and control was established by executing arbitrary commands and possibly setting up outbound communications. Sensitive data and secrets were then exfiltrated via workflows or outbound connectivity. Finally, the attacker could disrupt operations, steal sensitive business data, or use the n8n platform to attack additional assets, amplifying impact.
Kill Chain Progression
Initial Compromise
Description
Exploited public-facing n8n webhooks vulnerable to unauthenticated remote code execution via Content-Type confusion (CVE-2026-21858).
Related CVEs
CVE-2026-21858
CVSS 10An unauthenticated remote code execution vulnerability in n8n allows attackers to execute arbitrary system commands, leading to full compromise of the underlying host.
Affected Products:
n8n-io n8n – < 1.121.0
Exploit Status:
proof of conceptCVE-2025-49592
CVSS 4.6An open redirect vulnerability in n8n's login flow allows authenticated users to be redirected to untrusted domains, potentially leading to phishing attacks.
Affected Products:
n8n-io n8n – < 1.98.0
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Exploitation of Remote Services
Command and Scripting Interpreter: Windows Command Shell
Valid Accounts
Modify Authentication Process: Domain Controller Authentication
Data from Local System
Account Manipulation
Exploitation for Credential Access
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS v4.0 – Security of Public-Facing Applications
Control ID: 6.3.1
NYDFS 23 NYCRR Part 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT System Security and Monitoring
Control ID: Art. 9(2)
CISA Zero Trust Maturity Model 2.0 – Strong Authentication and Access Control
Control ID: Identity Pillar: Authentication and Access Controls
NIS2 Directive (Directive (EU) 2022/2555) – Security of Network and Information Systems - Vulnerability Handling
Control ID: Annex I, 2(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Information Technology/IT
Critical exposure through n8n workflow automation platforms enabling unauthenticated RCE attacks compromising API credentials, OAuth tokens, and centralized infrastructure systems.
Financial Services
Maximum severity vulnerability threatens workflow automation systems handling sensitive financial data, enabling credential theft and regulatory compliance violations across payment processing.
Health Care / Life Sciences
CVSS 10.0 n8n vulnerability exposes healthcare automation workflows to unauthenticated attacks compromising patient data and HIPAA compliance through arbitrary file access.
Computer Software/Engineering
Software development organizations face critical risk from n8n automation platform exploitation enabling complete system compromise and intellectual property theft through RCE.
Sources
- Critical n8n Vulnerability (CVSS 10.0) Allows Unauthenticated Attackers to Take Full Controlhttps://thehackernews.com/2026/01/critical-n8n-vulnerability-cvss-100.htmlVerified
- Unauthenticated File Access via Improper Webhook Request Handlinghttps://github.com/n8n-io/n8n/security/advisories/GHSA-v4pr-fm98-w9pgVerified
- Ni8mare - Unauthenticated Remote Code Execution in n8n (CVE-2026-21858)https://www.cyera.com/research-labs/ni8mare-unauthenticated-remote-code-execution-in-n8n-cve-2026-21858Verified
- January 7 Advisory: n8n Unauthenticated Remote Code Execution (NI8MARE) [CVE-2026-21858]https://censys.com/advisory/cve-2026-21858Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, internal firewalling, anomaly detection, and egress controls would have restricted exposed interfaces, contained post-exploit movement, detected suspicious activity, and blocked data theft. Network-layer enforcement aligned with Zero Trust would have limited blast radius and provided early alerts.
Control: Cloud Firewall (ACF)
Mitigation: Firewall blocks unauthorized inbound access to workflow endpoints.
Control: Zero Trust Segmentation
Mitigation: Service segmentation prevents excessive privilege access to sensitive backend files.
Control: East-West Traffic Security
Mitigation: Lateral traffic is monitored and controlled between internal workloads.
Control: Inline IPS (Suricata)
Mitigation: Malicious command or control attempts are detected and blocked in real time.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound data transfers are filtered and anomalous exfiltration attempts are blocked.
Rapid detection and response to suspicious workflow activity or privilege abuse minimizes fallout.
Impact at a Glance
Affected Business Functions
- Automation Workflows
- Data Processing
- System Integration
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive information stored on the system, including API credentials, OAuth tokens, database connections, and cloud storage access.
Recommended Actions
Key Takeaways & Next Steps
- • Immediately upgrade n8n instances to a patched version and remove direct internet exposure of all automation endpoints.
- • Enforce perimeter controls using cloud firewalls (ACF) and segment access with Zero Trust policies to restrict both north-south and east-west attack vectors.
- • Apply strict egress security and monitoring to contain data exfiltration attempts from automation or exposed workloads.
- • Implement anomaly detection and real-time alerting to capture suspicious workflow, privilege, or command execution activity within key SaaS and automation platforms.
- • Regularly audit cloud workloads and IAM-credential storage practices to eliminate centralized secrets and enforce least-privilege segmentation across critical automation assets.
