n8n, an open-source and widely used workflow automation platform, is experiencing a very serious security situation after the disclosure of two critical-severity vulnerabilities. This critical flaw CVE-2026-21858, locally nicknamed “Ni8mare,” presents dire dangers. It allows unauthenticated remote attackers to take full control of vulnerable n8n instances. The researcher Nathan Nehorai recently made a shocking discovery. JFrog’s disclosure has brought a sense of urgency and panic among users of the platform.
Of course, the CVE-2026-21858 vulnerability is the real doozy. If attackers successfully exploit this flaw, they can fully compromise entire n8n instances. As of January 27th, 2026 over 39,000 n8n instances are still vulnerable to this major security risk. The Shadowserver Foundation has made available data corroborating that this vulnerability is widely exploited on many common deployments. Specifically, n8n instances running with the “internal” execution mode are especially vulnerable.
Details of the Vulnerabilities
Alongside CVE-2026-21858, n8n has disclosed a second critical vulnerability, logged as CVE-2026-1470. This security issue has been fixed in versions 1.123.17, 2.4.5, or 2.5.1 of the platform. Likewise, CVE-2026-0863 has been fixed in previous versions, namely 1.123.14, 2.3.5, or 2.4.2.
Shachar Menashe, a representative from JFrog, emphasized the gravity of the situation by stating, “any user of n8n can exploit this issue and gain a complete takeover of the entire n8n instance, so that makes it a bit more dangerous.” This highlights the importance of immediate action to these users who are still using versions of the platform that are in active exploitation.
Recommendations for Users
n8n’s documentation makes very clear that running with internal mode in production poses potential security dangers. The “external mode” bogey The platform recommends that all users immediately start using the platform in “external mode.” This modification will maintain accurate separation between n8n and task runner processes. This bipartisan, precautionary measure would help reduce the risk created by these widespread vulnerabilities.
According to JFrog, “As n8n spans an entire organization to automate AI workflows, it holds the keys to core tools, functions, and data from infrastructure, including LLM APIs, sales data, and internal IAM systems, among others.” This is why keeping software up to date with the latest versions is key to protecting a wealth of sensitive organizational data.
Challenges in Software Security
Nathan Nehorai added an interesting point about some of the wider implications of these vulnerabilities in high-level programming languages. He noted, “These vulnerabilities highlight how difficult it is to safely sandbox dynamic, high‑level languages such as JavaScript and Python.” Even with multiple validation layers and security controls in place, subtle language features can be exploited to bypass security assumptions.