Full Report
Cybersecurity researchers have disclosed details of yet another maximum-severity security flaw in n8n, a popular workflow automation platform, that allows an unauthenticated remote attacker to gain complete control over susceptible instances. The vulnerability, tracked as CVE-2026-21858 (CVSS score: 10.0), has been codenamed Ni8mare by Cyera Research Labs. Security researcher Dor Attias has been
Analysis Summary
# Vulnerability: Unauthenticated Remote Code Execution in n8n via Content-Type Confusion
## CVE Details
- CVE ID: CVE-2026-21858
- CVSS Score: 10.0 (Critical)
- CWE: CWE-20 (Improper Input Validation - Inferred based on description of Content-Type confusion leading to remote code execution)
## Affected Systems
- Products: n8n (workflow automation platform)
- Versions: All versions prior to and including 1.65.0.
- Configurations: Affects instances processing form-based workflows via webhooks.
## Vulnerability Description
This critical vulnerability, codenamed "Ni8mare," stems from a **Content-Type confusion flaw** within the n8n webhook processing mechanism, specifically related to the `parseRequestBody()` function.
The flaw occurs because the system incorrectly handles file-handling functions without verifying that the incoming HTTP request's `Content-Type` header is set to `multipart/form-data`. When processing webhooks, n8n attempts to use either `parseFormData()` (for `multipart/form-data`) or `parseBody()` (for all others). If an attacker sends a request with a manipulated or missing `Content-Type` header that bypasses the check, the file-handling logic might be triggered incorrectly. This can lead to the exposure of sensitive information (secrets), forging of administrator access, and execution of arbitrary commands on the underlying server via improper utilization of request body parsing mechanisms.
## Exploitation
- Status: Details disclosed, **PoC available** (Implied by researcher disclosure and severity).
- Complexity: **Low** (Requires unauthenticated network access, but exploits logic flaw rather than complex authentication bypass).
- Attack Vector: **Network** (Remote, unauthenticated).
## Impact
- Confidentiality: **Complete compromise** (Exposure of sensitive information like system secrets).
- Integrity: **Complete compromise** (Ability to forge administrator access and execute arbitrary commands).
- Availability: **Complete compromise** (Ability to disrupt or take control of the instance).
## Remediation
### Patches
- **Fixed Version:** n8n version **1.121.0** (Released November 18, 2025).
- Users should upgrade to the latest version available (e.g., 1.123.10, 2.1.5, or 2.3.0 as of the article date) to ensure all subsequent security patches are applied.
### Workarounds
- No explicit workarounds were provided in the source material, but strict network filtering or disabling external access to webhooks processing untrusted data could serve as a temporary defense until patching is complete.
## Detection
- **Indicators of Compromise:** Unexpected file usage within webhook processing paths, unauthorized access attempts corresponding to form-data request patterns, or exposure of system secrets known to be stored on the host.
- **Detection Methods and Tools:** Monitoring network traffic targeting webhook endpoints for suspicious `Content-Type` headers or unusual response patterns following requests that attempt to exploit form-data parsing logic.
## References
- Vendor Advisory: hxxps://github.com/n8n-io/n8n/security/advisories/GHSA-v4pr-fm98-w9pg
- Research Disclosure: hxxps://www.cyera.com/research-labs/ni8mare-unauthenticated-remote-code-execution-in-n8n-cve-2026-21858