The vulnerability CVE-2026-21858, codenamed Ni8mare, is a critical security flaw in the n8n workflow automation platform that allows unauthenticated remote attackers to fully compromise vulnerable instances. The root cause lies in improper handling of HTTP request Content-Type headers in webhook processing. n8n uses different parsers for multipart/form-data (file uploads) and other content types, storing parsed data in separate global variables (req.body.files and req.body). The flaw occurs because a file-handling function (copyBinaryFile()) is invoked without verifying that the Content-Type is multipart/form-data, allowing attackers to override req.body.files arbitrarily. This enables attackers to read arbitrary local files by controlling the filepath parameter, effectively turning the file upload mechanism into an arbitrary file read primitive. Using this, attackers can extract sensitive files such as the SQLite database and configuration files containing encryption keys. With these, attackers can forge admin session cookies, bypass authentication, and escalate to remote code execution by creating malicious workflows with command execution nodes. The vulnerability affects all n8n versions prior to and including 1.65.0 and was fixed in version 1.121.0 released on November 18, 2025. The impact is severe because n8n centralizes access to API credentials, OAuth tokens, databases, and cloud storage, making a compromised instance a single point of failure and a valuable target for attackers. The vulnerability requires no authentication or user interaction, making exploitation straightforward if the instance is exposed. The advisory recommends immediate upgrade, restricting public webhook access, and enforcing authentication on forms to mitigate risk.

For European organizations, the impact of this vulnerability is substantial. n8n is widely used for automating workflows that integrate multiple business-critical applications and cloud services. A successful exploit could lead to full compromise of the automation platform, exposing sensitive credentials, internal databases, and cloud storage access keys. This could cascade into broader network compromise, data breaches, and disruption of automated business processes. Organizations relying on n8n for customer-facing forms or public webhooks are particularly vulnerable to remote exploitation. The breach of sensitive data could result in regulatory penalties under GDPR, reputational damage, and operational downtime. Furthermore, attackers gaining control over n8n could pivot to other internal systems, amplifying the attack's reach. The centralized nature of n8n as an integration hub means the blast radius of a compromise is large, affecting multiple connected services and data stores. European sectors with high automation adoption, such as finance, manufacturing, and public services, face elevated risks.

1. Immediately upgrade all n8n instances to version 1.121.0 or later, as this version contains the patch for CVE-2026-21858. 2. Avoid exposing n8n instances directly to the internet; deploy behind VPNs or secure gateways. 3. Enforce strict authentication and authorization on all form workflows and webhook endpoints to prevent unauthenticated access. 4. Temporarily disable or restrict publicly accessible webhook and form endpoints until patches are applied. 5. Implement network segmentation to isolate n8n servers from critical infrastructure and sensitive data stores. 6. Monitor logs for unusual file access patterns or workflow creations that could indicate exploitation attempts. 7. Conduct a thorough audit of existing workflows to identify and remediate any that could be abused for code execution. 8. Employ Web Application Firewalls (WAFs) with rules to detect and block suspicious multipart/form-data requests or content-type anomalies targeting n8n endpoints. 9. Educate DevOps and security teams about the risks of exposing automation platforms and the importance of timely patching. 10. Regularly back up n8n configurations and databases to enable rapid recovery in case of compromise.