Cybersecurity researchers have disclosed details of yet another maximum-severity security flaw in n8n, a popular workflow automation platform, that allows an unauthenticated remote attacker to gain complete control over susceptible instances.
The vulnerability, tracked as CVE-2026-21858 (CVSS score: 10.0), has been codenamed Ni8mare by Cyera Research Labs. Security researcher Dor Attias has been acknowledged for discovering and reporting the flaw on November 9, 2025.
"A vulnerability in n8n allows an attacker to access files on the underlying server through execution of certain form-based workflows," n8n said in an advisory published today. "A vulnerable workflow could grant access to an unauthenticated remote attacker. This could result in exposure of sensitive information stored on the system and may enable further compromise depending on deployment configuration and workflow usage."
With the latest development, n8n has disclosed four critical vulnerabilities over the last two weeks -
- CVE-2025-68613 (CVSS score: 9.9) - An improper control of dynamically-managed code resources that could allow authenticated attackers to achieve remote code execution (RCE) under certain conditions (Fixed in versions 1.120.4, 1.121.1, and 1.122.0)
- CVE-2025-68668 or N8scape (CVSS score: 9.9) - A sandbox bypass vulnerability that could allow an authenticated user with permission to create or modify workflows to execute arbitrary commands on the host system running n8n (Fixed in version 2.0.0)
- CVE-2026-21877 (CVSS score: 10.0) - An unrestricted upload of a file with a dangerous type vulnerability that could allow an authenticated attacker to execute untrusted code via the n8n service, leading to full compromise of the instance (Fixed in version 1.121.3)
However, unlike these flaws, CVE-2026-21858 does not require any credentials and takes advantage of a "Content-Type" confusion flaw to extract sensitive secrets, forge administrator access, and even execute arbitrary commands on the server.
The vulnerability affects all versions of n8n prior to and including 1.65.0. It has been addressed in version 1.121.0, which was released on November 18, 2025. It's worth noting that the latest versions of the library are 1.123.10, 2.1.5, 2.2.4, and 2.3.0.
According to technical details shared by Cyera with The Hacker News, the crux of the problem is rooted in the n8n webhook and file handling mechanism. Webhooks, which are crucial to receive data from apps and services when certain events occur, are triggered after the incoming request is parsed using a function named "parseRequestBody()."
Specifically, the function is designed to read the "Content-Type" header in the request and invoke another function to parse the request body -
- Use parseFormData(), aka "file upload parser," if the "Content-Type" header is "multipart/form-data," denoting form data
- Use parseBody() aka "regular body parser" for all other content types
The file upload parser, in turn, uses the parse() function associated with formidable, a Node.js module for parsing form data, and stores the decoded result in a global variable called "req.body.files." This populated data is processed by the webhook, which only runs when the "Content-Type" header is set to "multipart/form-data."
In contrast, the regular body parser processes the incoming HTTP request body and stores the extracted data in a different global variable known as "req.body."
CVE-2026-21858 occurs when a file-handling function is run without first verifying that the content-type is "multipart/form-data," potentially allowing an attacker to override req.body.files. Cyera said it found such a vulnerable flow in the function that handles form submissions ("formWebhook()"), which invokes a file-handling function ("copyBinaryFile()") to act on "req.body.files."
"Here's the issue: since this function is called without verifying the content type is 'multipart/form-data,' we control the entire req.body.files object," Attias said. "That means we control the filepath parameter -- so instead of copying an uploaded file, we can copy any local file from the system."
"The result? Any node after the Form node receives the local file's content instead of what the user uploaded."
As for how the attack can play out, consider a website that has a chat interface to provide information about various products based on product specification files uploaded to the organizational knowledge base using a Form workflow. With this setup in place, a bad actor can leverage the security hole to read arbitrary files from the n8n instance and escalate it further to RCE by performing the following steps -
- Use the arbitrary read primitive to access the database located at "/home/node/.n8n/database.sqlite" and load it into the knowledge-base
- Extract the administrator's user ID, email, and hashed password using the chat interface
- Use the arbitrary read primitive again to load a configuration file located at "/home/node/.n8n/config" and extract the encryption secret key
- Use the obtained user and key information to forge a fake session cookie and obtain admin access, leading to an authentication bypass
- Achieve RCE by creating a new workflow with an "Execute Command" node
"The blast radius of a compromised n8n is massive," Cyera said. "A compromised n8n instance doesn't just mean losing one system -- it means handing attackers the keys to everything. API credentials, OAuth tokens, database connections, cloud storage -- all centralized in one place. n8n becomes a single point of failure and a goldmine for threat actors."
In light of the severity of the flaw, users are advised to upgrade to the patched version or later as soon as possible for optimal protection, avoid exposing n8n to the internet, and enforce authentication for all Forms. As temporary workarounds, it's advised to restrict or disable publicly accessible webhook and form endpoints.
Update
Attack surface management platform Censys said it's observing 26,512 exposed n8n hosts, the vast majority of which are located in the U.S. (7,079), Germany (4,280), France (2,655), Brazil (1,347), and Singapore (1,129).
