A new report out today from  data security company Cyera Ltd. is warning that a recently discovered critical security vulnerability in workflow automation platform n8n puts thousands of organizations at risk of full system compromise.

The vulnerability, tracked as CVE-2026-21858 and assigned a maximum Common Vulnerability Scoring System score of 10.0, can allow unauthenticated attackers to achieve remote code execution on vulnerable n8n instances.

Dubbed “Ni8mare” by Cyera’s researchers, the vulnerability allows for a complete takeover of affected environments without the need for prior authentication.

N8n is a popular no-code and low-code automation platform that allows organizations to connect applications, application programming interfaces and services through customizable workflows. The platform has millions of users across developers and enterprises, as well as hundreds of millions of container downloads.

The vulnerability is due to the improper handling of incoming HTTP requests in n8n’s webhook and form processing logic. The platform fails to validate the Content-Type header correctly in certain webhook scenarios and, in doing so, allows an attacker to manipulate how uploaded data is parsed.

The issue allows for a crafted request to trick n8n into treating arbitrary input as uploaded files, even when no legitimate file upload is present.

The result is that attackers can read arbitrary files from the underlying system and then extract n8n’s internal SQLite database, access stored credentials and secrets, recover encryption keys and forge valid authentication tokens.

Having gained access, an attacker could also then impersonate administrators and ultimately create malicious workflows that execute arbitrary system commands, resulting in full remote code execution.

“The blast radius of a compromised n8n is massive,” the researchers write. “N8n connecting countless systems, your organizational Google Drive, OpenAI API keys, Salesforce data, IAM systems, payment processors, customer databases, CI/CD pipelines and more.”

“Imagine a large enterprise with 10,000+ employees with one n8n server that anyone uses,” the researchers added. “A compromised n8n instance doesn’t just mean losing one system —  it means handing attackers the keys to everything. API credentials, OAuth tokens, database connections, cloud storage — all centralized in one place. N8n becomes a single point of failure and a goldmine for threat actors.”

The good news is that n8n has released patches addressing the issue. Fixes are available starting from version 1.121.0 of n8n and security teams and administrators running self-hosted instances are being advised to upgrade immediately.

Cyera also recommends limiting public exposure of webhook and form endpoints and implementing additional network-level controls where possible.

Image: SiliconANGLE/Ideogram