Researchers rush to warn defenders of max-severity defect in n8n
Researchers warn that a critical vulnerability in n8n, an automation platform that allows organizations to integrate AI agents, workflows and hundreds of other enterprise services, could be exploited by attackers to achieve full control of targeted networks.
The maximum-severity vulnerability — CVE-2026-21858 — affects about 100,000 servers globally, according to Cyera, which initially discovered and reported the defect to n8n on Nov. 9. Developers responsible for the widely used platform released a patch for the vulnerability on Nov. 18, but didn’t publicly disclose or assign the vulnerability a CVE until Wednesday.
“The risk is massive,” Dor Attias, security researcher at Cyera Research Labs, told CyberScoop. “n8n sits at the heart of enterprise automation infrastructure. Gaining control of n8n means gaining access to your secrets, customer data, CI/CD pipelines and more.”
Researchers haven’t observed active exploitation of the vulnerability, but Cyera published a working proof of concept, which typically triggers a race for defenders to patch a defect before in-the-wild exploitation occurs.
“We are seeing a noticeable increase in traffic targeting customer n8n instances,” Upwind CEO Amiram Shachar said. “We believe this activity is likely driven by heightened interest from both attackers and security researchers rather than confirmed exploitation — at least for now.”
The content-type confusion vulnerability requires no authentication, allows full remote-code execution and there is no workaround. Researchers and n8n, which did not respond to a request for comment, advise users to update to version 1.121.1 or later to remediate the vulnerability.
Cyera, which dubbed the defect “ni8mare,” said the patch effectively addresses the vulnerability.
Threat hunters are especially concerned about the vulnerability because of the widespread deployment of n8n and the potential exposure that could occur as a result of exploitation.
“n8n instances typically manage highly sensitive workflows containing access tokens, credentials and business-critical data. That makes them a gold mine for attackers,” Shachar said.
Systemic weaknesses, including a lack of proper exposure management, permission boundaries and broader application security control amplify the risk, Shachar added.
It’s unclear why n8n took almost two months to publicly disclose the vulnerability. The company acknowledged and started working on a fix for the defect a day after Cyera reported the vulnerability, Attias said.
“The delay was likely due to them working on patching additional bugs, which is more important than rushing to publish the advisory,” he added.
Indeed, n8n disclosed a separate remote-code execution vulnerability — CVE-2026-21877 — with a CVSS rating of 10 on Wednesday.
Shachar said disclosure procedures and the rapid growth of n8n could have slowed coordination with security advisory channels, adding that some security teams view delayed disclosures as a responsible measure to reduce the risk of immediate, widespread attacks.
