Threat Research

New Critical Ni8mare Vulnerability in n8n: Unauthenticated Attack

Italy-Cert-agid
New Critical Ni8mare Vulnerability in n8n: Unauthenticated Attack

An unauthenticated critical RCE in the n8n workflow automation platform, tracked as CVE-2026-21858 and dubbed Ni8mare, abuses improper Content-Type handling on webhooks and Form nodes to inject file references, steal local files and encryption keys, and create admin tokens to seize control of instances. Public PoC code exists and thousands of exposed n8n installations are at risk; update immediately to n8n 1.121.0 or later and restrict internet exposure. #Ni8mare #n8n

Keypoints

  • Ni8mare (CVE-2026-21858) is a critical unauthenticated remote code execution vulnerability in n8n with a CVSS score of 10.0/10.0.
  • The flaw stems from improper Content-Type handling on webhooks and Form nodes, allowing attackers to populate req.body.files with attacker-controlled data.
  • Attackers can read local files (including the SQLite database and the config file with encryption keys), derive admin tokens, and fully compromise instances.
  • Many default/self-hosted n8n installations (notably Docker deployments) store critical files in predictable paths: /home/node/.n8n/database.sqlite and /home/node/.n8n/config.
  • Proof-of-concept exploits are publicly available and thousands of n8n instances are directly exposed on the internet, increasing the risk of widespread compromise.
  • The only complete remediation is to upgrade all instances to n8n version 1.121.0 or later; additionally, restrict public exposure via firewall, VPN, or network segmentation and investigate possible compromises.

MITRE Techniques

  • [T1190 ] Exploit Public-Facing Application – Exploited improper Content-Type handling on webhooks/Form nodes to gain unauthorized access (‘an attacker remote can exploit a defect in how n8n handles requests to webhooks and Form nodes to obtain unauthorized access to the server’)
  • [T1005 ] Data from Local System – Used the vulnerability to read local files such as the SQLite database and configuration files (‘the target is the configuration file that contains the encryption keys… /home/node/.n8n/database.sqlite’)
  • [T1552.001 ] Credentials in Files – Retrieved encryption keys from the n8n config to generate administrative credentials (‘the configuration file that contains the encryption keys to access sensitive information in the local SQLite database in encrypted form’)
  • [T1078 ] Valid Accounts – Generated administrative tokens from recovered keys to obtain full access to the system (‘With these keys, the attacker can generate admin tokens and obtain full access to the system’)
  • [T1059 ] Command and Scripting Interpreter – Created workflows with an Execute Command node to run arbitrary commands under the n8n process privileges (‘create a workflow with a node like Execute Command and have arbitrary commands executed on the system with the privileges of the n8n instance’)

Indicators of Compromise

  • [File Path ] Sensitive local files targeted by the exploit – /home/node/.n8n/database.sqlite, /home/node/.n8n/config
  • [CVE ] Vulnerability identifiers referenced – CVE-2026-21858 (Ni8mare), CVE-2025-68613
  • [Version ] Remediation/version indicator – fixed in n8n 1.121.0 (instances running versions prior to 1.121.0 are vulnerable)
  • [Proof-of-Concept ] Exploit availability – public PoC code demonstrating the attack (no URL provided in article)

Read more: https://cert-agid.gov.it/news/nuova-vulnerabilita-critica-ni8mare-in-n8n-attacco-senza-autenticazione/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint