Full Report
Roughly 100,000 servers running the automated workflow platform for AI and other enterprise tools are potentially exposed to exploitation. The post Researchers rush to warn defenders of max-severity defect in n8n appeared first on CyberScoop.
Analysis Summary
# Vulnerability: Unauthenticated Remote Code Execution in n8n (ni8mare)
## CVE Details
- CVE ID: CVE-2026-21858
- CVSS Score: Maximum Severity (Specific score not provided, but described as "max-severity" and capable of RCE)
- CWE: Content-type Confusion (Implied by description)
## Affected Systems
- Products: n8n (Automated workflow platform)
- Versions: Versions prior to 1.121.1, based on the patch release.
- Configurations: Affects approximately 100,000 deployed servers globally.
## Vulnerability Description
A critical, unauthenticated vulnerability exists in the n8n platform, dubbed "ni8mare." The flaw is described as a content-type confusion vulnerability that, when successfully exploited, allows an attacker to achieve **full Remote Code Execution (RCE)** on the targeted server. Because n8n instances often handle secrets, credentials, and business-critical data, exploitation grants access to highly sensitive resources.
## Exploitation
- Status: Proof of Concept (PoC) available. Researchers have observed a "noticeable increase in traffic" targeting instances, though active in-the-wild exploitation has not yet been confirmed.
- Complexity: Low (Implied by the severity and lack of authentication requirement).
- Attack Vector: Network (Remote, Unauthenticated)
## Impact
- Confidentiality: High (Gaining access to secrets, customer data, CI/CD pipelines, etc.)
- Integrity: High (Potential to modify or compromise workflows and systems)
- Availability: High (Potential for system compromise)
## Remediation
### Patches
- **n8n version 1.121.1 or later.** (The patch was originally released in version 1.121.0 on Nov 18, but the advice points to 1.121.1 or later for remediation, as the public disclosure happened later.)
### Workarounds
- No workarounds were identified or recommended by the researchers or vendor. Immediate patching is advised.
## Detection
- Threat hunters should look for increased network traffic targeting exposed n8n instances.
- Monitor application logs for unusual requests or execution attempts related to content-type handling if deep packet inspection is available.
## References
- Vendor Advisory (n8n Security Advisory): h ttps://github.com/n8n-io/n8n/security/advisories/GHSA-v4pr-fm98-w9pg
- Discovery Report (Cyera): h ttps://www.cyera.com/research-labs/ni8mare-unauthenticated-remote-code-execution-in-n8n-cve-2026-21858