Full Report
CVE-2026-21858 (Ni8mare) is a maximum-severity vulnerability in self-hosted n8n that can enable unauthenticated instance takeover, leading to remote code execution (RCE) when public webhook or form endpoints are exposed. Because n8n commonly stores and brokers API tokens, OAuth credentials, database access, and cloud keys, a compromise can quickly become a pivot into wider enterprise infrastructure. This issue lands amid a cluster of other critical n8n disclosures (including RCE and sandbox-bypass paths), increasing overall risk. The most effective response is to apply the latest updates immediately.
Analysis Summary
# Vulnerability: Ni8mare (Unauthenticated Instance Takeover leading to RCE in n8n)
## CVE Details
- CVE ID: CVE-2026-21858
- CVSS Score: Maximum Severity (Specific numerical score not provided in context, assumed high due to "maximum-severity" description)
- CWE: Not explicitly provided, but the result points toward Injection or Improper Access Control related issues allowing RCE.
## Affected Systems
- Products: self-hosted n8n
- Versions: All vulnerable versions must be updated immediately, implying older versions are affected. (Specific version ranges are not listed in the provided snippet.)
- Configurations: Exploitable when public webhook or form endpoints are exposed.
## Vulnerability Description
CVE-2026-21858, nicknamed "Ni8mare," is a maximum-severity vulnerability within self-hosted n8n instances. This flaw allows for unauthenticated takeover of the instance, which can lead to Remote Code Execution (RCE) if public webhook or form endpoints are active. Since n8n often handles highly sensitive secrets (API tokens, OAuth credentials, database access, cloud keys), this compromise grants a direct pivot point into wider enterprise infrastructure.
## Exploitation
- Status: Implied to be a high-risk vulnerability being actively monitored; the presence of associated RCE disclosures suggests exploitation activity is likely or imminent. The article notes this lands amid other critical disclosures.
- Complexity: Likely Low, given the goal of "unauthenticated instance takeover."
- Attack Vector: Network (via exposed endpoints).
## Impact
- Confidentiality: High (Access to stored API tokens, credentials, and keys).
- Integrity: High (Ability to execute arbitrary code/workflows).
- Availability: High (Potential resource denial/system impact from RCE).
## Remediation
### Patches
- **Action:** Apply the latest updates immediately. (The specific patch version resulting from this vulnerability is not detailed in the summary text.)
### Workarounds
- **Reduce Exposure:** Limit or eliminate public exposure of n8n webhook and form endpoints.
- **Credential Rotation:** Rotate all credentials, tokens, and keys brokered or stored within the compromised n8n instance post-remediation.
- **Workflow Integrity Check:** Validate the integrity of existing workflows.
## Detection
- **Indicators of Compromise (IoCs):** Undocumented in the snippet, but focus should be on unexpected network activity targeting exposure endpoints, unusual outbound connections originating from the n8n host, or modifications to stored secrets.
- **Detection Methods and Tools:** Network traffic monitoring of exposed n8n endpoints for unusual payload structures, and endpoint detection/response (EDR) monitoring for anomalous process execution originating from the n8n application service.
## References
- Vendor Advisories: (Not explicitly provided, but implied through the context of LevelBlue/SpiderLabs analysis.)
- Relevant Links (Defanged):
- hxxps://www.levelblue.com/blogs/spiderlabs-blog/ni8mare-on-automation-street-when-workflows-turn-into-an-attack-path/