n8n Exposes Servers To Remote Code Execution

Cyera researchers disclosed a maximum-severity unauthenticated remote code execution flaw in n8n, tracked as CVE-2026-21858 with CVSS 10.0, affecting an estimated 100,000 servers. The bug, dubbed "ni8mare", exploits webhook Content-Type confusion to overwrite internal variables and read arbitrary files; n8n released a patch in version 1.121.0 on Nov 18, 2025. Organizations must patch immediately to protect API keys and connected systems.
Key Points
- 1Allows unauthenticated remote code execution via webhook Content-Type confusion (CVE-2026-21858, CVSS 10.0)
- 2Enables attackers to read arbitrary files and steal centralized API credentials and tokens, widening blast radius
- 3Requires immediate upgrade to n8n 1.121.0 or later to patch vulnerability and prevent full takeover
Scoring Rationale
High severity and wide exposure with official vendor patch; actionable remediation mitigates significant operational and credential risk.
Sources
Public references used for this report.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems
