A critical vulnerability affecting the n8n automation platform, used by approximately 100,000 servers globally, could allow attackers to gain complete control over targeted networks. The high-severity flaw, identified as CVE-2026-21858, was discovered by cybersecurity firm Cyera and reported to n8n on November 9.
Developers released a patch for the vulnerability on November 18th, nearly two months after the initial report. However, the vulnerability and its official CVE designation were not publicly disclosed until Wednesday. This delay has raised concerns among cybersecurity professionals regarding the potential for exploitation.
Understanding the n8n Vulnerability
The vulnerability, dubbed “ni8mare” by Cyera, is a content-type confusion flaw that requires no authentication and can lead to full remote-code execution. This means an attacker could potentially execute commands on a compromised server without needing any prior access or credentials.
According to Dor Attias, a security researcher at Cyera Research Labs, the implications are significant. “n8n sits at the heart of enterprise automation infrastructure,” Attias stated. “Gaining control of n8n means gaining access to your secrets, customer data, CI/CD pipelines and more.”
While researchers have not yet observed active exploitation in the wild, Cyera has published a working proof of concept. Such disclosures often accelerate the urgency for organizations to apply patches before attackers can weaponize the exploit.
Implications for Organizations
The widespread adoption of n8n, which facilitates the integration of AI agents, workflows, and numerous enterprise services, makes this vulnerability a significant concern for businesses. “n8n instances typically manage highly sensitive workflows containing access tokens, credentials and business-critical data. That makes them a gold mine for attackers,” commented Amiram Shachar, CEO of Upwind.
Organizations utilizing the n8n platform are strongly advised to update to version 1.121.1 or a later release to remediate the vulnerability. Currently, there is no known workaround for the issue besides applying the provided patch.
Factors Amplifying Risk
Several systemic weaknesses can exacerbate the risk associated with this vulnerability. These include a lack of precise exposure management, insufficient permission boundaries, and broader application security control gaps, according to Shachar. These factors can provide attackers with additional avenues for exploitation or lateral movement once an initial compromise is achieved.
Disclosure Timeline and Observations
The nearly two-month period between Cyera’s reporting of the vulnerability and its public disclosure has drawn attention. n8n reportedly began working on a fix the day after the vulnerability was reported. The reasons for the delay in public disclosure remain unclear, though one theory suggests n8n may have been addressing other critical bugs concurrently.
Notably, n8n also disclosed a separate remote-code execution vulnerability (CVE-2026-21877) with a CVSS score of 10 on the same day the initial vulnerability was publicly announced. Some security teams view delayed disclosures as a responsible practice, allowing time to develop and distribute patches before widely alerting potential attackers.
Meanwhile, Upwind has observed an increase in network traffic targeting n8n instances. Shachar speculates this activity is likely driven by heightened interest from both malicious actors and security researchers rather than confirmed exploitation at this time.
Looking Ahead
The primary next step for affected organizations is to promptly update their n8n installations to the latest patched version. The delayed public disclosure and the simultaneous announcement of another critical vulnerability may indicate ongoing efforts by n8n to bolster its security posture. Further public advisories or technical analyses may emerge as security researchers continue to scrutinize the platform.