Full Report
CVE-2026-21858 (Ni8mare) is a maximum-severity vulnerability in self-hosted n8n that can enable unauthenticated instance takeover, leading to remote code execution (RCE) when public webhook or form endpoints are exposed. Because n8n commonly stores and brokers API tokens, OAuth credentials, database access, and cloud keys, a compromise can quickly become a pivot into wider enterprise infrastructure. This issue lands amid a cluster of other critical n8n disclosures (including RCE and sandbox-bypass paths), increasing overall risk. The most effective response is to apply the latest updates immediately.
Analysis Summary
# Vulnerability: Ni8mare - Unauthenticated Instance Takeover Leading to RCE in n8n
## CVE Details
- CVE ID: CVE-2026-21858
- CVSS Score: Maximum Severity (Specific score not provided, but implied to be high/critical)
- CWE: Not specified in the source text.
## Affected Systems
- Products: self-hosted n8n
- Versions: All vulnerable versions prior to the patch release.
- Configurations: Vulnerability is exploitable when **public webhook or form endpoints are exposed**.
## Vulnerability Description
CVE-2026-21858, dubbed "Ni8mare," is a critical vulnerability in self-hosted n8n instances that allows for **unauthenticated instance takeover**. This takeover can lead directly to **Remote Code Execution (RCE)** if public webhook or form endpoints are accessible externally. The consequence of a successful exploit is severe ("a pivot into wider enterprise infrastructure") due to n8n's common role in storing API tokens, OAuth credentials, database access, and cloud keys.
## Exploitation
- Status: The text implies high risk and potential for exploitation, but does not definitively state "Exploited in the wild." (Assuming PoC may be available given the severity and clustering of disclosures).
- Complexity: Implied **Low** due to the "unauthenticated" nature resulting in RCE.
- Attack Vector: **Network** (via exposed public endpoints).
## Impact
- Confidentiality: **High** (Exposure of sensitive credentials and enterprise pivot point).
- Integrity: **High** (Instance takeover leading to RCE).
- Availability: **High** (Potential for system disruption via RCE).
## Remediation
### Patches
- The article strongly advises to **apply the latest updates immediately**. (Specific version numbers are not provided in the summary text).
### Workarounds
- **Reduce Exposure:** Limit access to public webhook or form endpoints where possible.
- **Credential Rotation:** Assume compromise and rotate API tokens, OAuth credentials, database access, and cloud keys stored within n8n.
- **Validation:** Validate the integrity of workflows and subsequently accessed downstream systems.
## Detection
- **Indicators of Compromise (IOCs):** Analysis of compromised credentials being used, unexpected execution of workflows, or unauthorized network activity originating from the n8n instance.
- **Detection Methods and Tools:** Monitoring network traffic to public endpoints for suspicious requests targeting webhook/form processing functions. Comprehensive security tooling should be used to monitor for RCE indicators on the hosting server.
## References
- Vendor Advisories: Not explicitly linked, but implied by the instruction to apply the latest updates.
- Relevant links - defanged:
- Source Article: hxxps://levelblue.com/blogs/spiderlabs-blog/ni8mare-on-automation-street-when-workflows-turn-into-an-attack-path/
- General n8n Advisory information via vendor tracking channels.