Critical n8n vulnerability allows unauthenticated attackers to fully compromise servers

Cybersecurity researchers have disclosed a maximum-severity vulnerability (CVSS 10.0) in the workflow automation platform n8n that enables unauthenticated attackers to gain complete control over vulnerable instances.

The flaw, tracked as CVE-2026-21858 and codenamed Ni8mare, was discovered in November 2025 by security researcher Dor Attias from Cyera Research Labs. The vulnerability allows attackers to read arbitrary files, bypass administrator authentication, and ultimately execute arbitrary commands on the server.

Unlike previously disclosed n8n vulnerabilities, this issue requires no credentials. It exploits a Content-Type confusion flaw that allows attackers to control the req.body.files object and copy any local file from the underlying system.

The root cause lies in n8n’s webhook and form-handling logic. The formWebhook() function invokes file-handling routines without validating that the request is actually multipart/form-data. As a result, attackers can extract the n8n database, configuration files, and encryption keys, forge admin session cookies, and create malicious workflows that lead to full remote code execution.

Security researchers warn that a compromised n8n instance represents a high-impact risk, as it often stores centralized credentials for APIs, databases, cloud services, and OAuth integrations.

CVE-2026-21858 highlights the massive blast radius of security flaws in automation platforms. A single exposed n8n instance can provide attackers with complete access to interconnected systems. Immediate patching, restricting public webhook exposure, and enforcing authentication are critical steps to reduce risk.