Full Report
Unauthenticated RCE means anyone on the network can seize full control A maximum-severity bug in the popular automation platform n8n has left an estimated 100,000 servers wide open to complete takeover, courtesy of a flaw so bad it doesn't even require logging in.…
Analysis Summary
# Vulnerability: Unauthenticated Remote Code Execution (RCE) in n8n via Webhook Content-Type Confusion (ni8mare)
## CVE Details
- CVE ID: CVE-2026-21858
- CVSS Score: 10.0 (Critical)
- CWE: Content-Type Confusion (Implied/Related to header manipulation)
## Affected Systems
- Products: n8n (Automation platform)
- Versions: Prior to v1.121.0
- Configurations: Any publicly accessible n8n instance processing webhooks.
## Vulnerability Description
The vulnerability, dubbed "ni8mare," is a critical unauthenticated Remote Code Execution (RCE) flaw stemming from a "Content-Type Confusion" issue in how n8n processes webhooks. An unauthenticated attacker can manipulate HTTP headers (specifically the `Content-Type`) to overwrite internal variables used by the application during webhook processing. This manipulation allows the attacker to read arbitrary files from the underlying system, which can then be escalated to achieve full Remote Code Execution (RCE) on the host server.
## Exploitation
- Status: PoC available (Implied by the detailed technical disclosure)
- Complexity: Low (No authentication required, network accessible)
- Attack Vector: Network
## Impact
- Confidentiality: Complete compromise (Arbitrary file read leads to credential/data theft)
- Integrity: Complete compromise (Arbitrary code execution)
- Availability: Complete compromise (Server takeover)
*Note: The impact is stated as massive, as the compromised n8n instance often holds credentials (API keys, OAuth tokens) for numerous connected systems (Cloud services, databases, CI/CD pipelines).*
## Remediation
### Patches
- **n8n version 1.121.0 or later** contains the necessary fix.
### Workarounds
- The vendor advises there is **no workaround other than patching**. Restricting network access to the n8n instance may serve as a temporary barrier, but effective remediation requires patching.
## Detection
- **Indicators of Compromise (IoC):** Monitoring application logs for unexpected activity related to webhook processing, file reads of sensitive system files (e.g., configuration files, credential stores) originating from web requests, or sudden changes in system executables.
- **Detection Methods and Tools:** Network monitoring for unusual traffic patterns directed at webhook endpoints. Security scanning should prioritize identifying instances running outdated n8n versions.
## References
- Vendor Advisory (Implied fix released on November 18, 2025)
- [Cyera Research for CVE-2026-21858 (defanged)](https://www.cyera.com/research-labs/ni8mare-unauthenticated-remote-code-execution-in-n8n-cve-2026-21858)