A critical vulnerability identified as CVE-2026-21858, codenamed “Ni8mare” by Cyera Research Labs, has been reported in the popular automation tool n8n. It affects CVE-2023-38219. The maximum CVSS score for this vulnerability is 10.0. It allows unauthenticated attackers to take full control of affected systems. Security researcher Dor Attias found this vulnerability on November 9, 2025. It is a dangerous exploit that greatly threatens users, mainly due to its widespread blast radius.
The security issue is due to a bug in n8n’s webhook and file access ability. More specifically, it happens when a file-handling function runs without checking that the “Content-Type” is “multipart/form-data.” This oversight provides attackers with an opportunity to gain sensitive secrets, create administrator access, and run arbitrary commands on the server.
Details of the Vulnerability
CVE-2026-21858 exploits a “Content-Type” confusion vulnerability in the fundamental operations of n8n’s workflow. The n8n webhook is set up to trigger only when it finds the “Content-Type” header set to “multipart/form-data.” That is true only until an attacker is able to exploit this facet to circumvent safeguards.
Dor Attias elaborated on the issue, stating, > “Here’s the issue: since this function is called without verifying the content type is ‘multipart/form-data,’ we control the entire req.body.files object.” Threat actors would need to do more than simply download a file someone uploaded. Yikes, they might be able to duplicate any file on the local machine!
n8n acknowledged the severity of this vulnerability, explaining that “A vulnerability in n8n allows an attacker to access files on the underlying server through execution of certain form-based workflows.” Vulnerabilities like this have far-reaching effects beyond the immediate cases. A compromised n8n instance would completely expose any of the systems it connects to.
Implications for Users
The ramifications of CVE-2026-21858 are extensive. According to Cyera Research Labs, “The blast radius of a compromised n8n is massive.” They further emphasized that “A compromised n8n instance doesn’t just mean losing one system — it means handing attackers the keys to everything.” This highlights the importance of making sure that personal n8n installations cannot be exploited by malicious actors.
We cannot overstate how important it is for users to act right away. For maximum protection, it’s important to upgrade to the patched version of n8n as soon as possible. Security professionals have urged that users should not expose their n8n installations to the internet to reduce risks. Implementing multi-factor authentication for all administrative forms is crucial in avoiding unauthorized access.
Recommendations for Security Enhancement
To improve security given the potential for this vulnerability, users should keep the following tips in mind. First and foremost, all users should upgrade to the latest patched version of n8n immediately. Your quick action with this update will protect you from the risks related to CVE-2026-21858.
Users should never unnecessarily expose their n8n instances to public networks. By limiting access and using firewall rules, attack angles can be greatly reduced.
An equally important step is enforcing authentication for all n8n’s out of the box forms. As noted by n8n, “A vulnerable workflow could grant access to an unauthenticated remote attacker. This could result in exposure of sensitive information stored on the system and may enable further compromise depending on deployment configuration and workflow usage.”
