A severe unauthenticated remote code execution (RCE) vulnerability nicknamed “Ni8mare” has been discovered in the n8n workflow automation platform. This flaw, tracked as CVE-2026-21858, allows attackers to take full control of vulnerable n8n instances without needing credentials. Read this Cybersecurity Threat Advisory now to mitigate your risk.
What is the threat?
Ni8mare is a Content-Type confusion bug in n8n caused by the data handling of parseRequestBody() middleware. Here’s what happens:
- When requests use
multipart/form-data, n8n securely processes files with random, safe paths. - If an attacker sends a different Content-Type (e.g.,
application/json), n8n uses a generic parser that trusts user input. This lets attackers inject arbitrary file paths intoreq.body.files.
Why is it noteworthy?
This vulnerability is particularly concerning due to the following factors:
- No authentication required – Anyone can exploit it.
- Full remote code execution – Complete control of the host.
- High-value secrets exposed – API tokens, cloud credentials, database passwords.
- Internet-facing risk – Many n8n instances are public for webhook use.
- Supply chain impact – Compromised workflows can trigger malicious actions across connected services.
What is the exposure or risk?
A successful attack could lead to complete environment compromise, unauthorized access to third-party platforms, business disruption, and potential regulatory or compliance exposure.
Organizations may be at increased risk if they:
- Run n8n versions starting at 1.65.0 or below 1.121.0
- Expose n8n to the internet
- Use n8n for cloud, DevOps, or sensitive workflows
- Store plaintext credentials in workflows
- Run n8n with excessive privileges
- Haven’t applied the latest security patches
What are the recommendations?
Barracuda recommends the following actions to secure your environment:
- Update immediately to n8n v1.121.0 or later (fix included)
- Restrict external access using firewalls, VPNs, or IP allowlists
- Enable authentication and avoid public unauthenticated access
- Rotate all stored credentials (API keys, tokens, passwords)
- Audit workflows for unauthorized changes
- Run with least privilege (avoid root or overly permissive containers)
- Monitor logs for suspicious activity
- Check webhook requests for
application/jsoninstead of expectedmultipart/form-data - Track file integrity for sensitive files like
/root/.n8n/database.sqliteand.n8n/config - Audit sessions for unusual admin logins or forged cookies
- Review workflows for nodes like “Execute Command” or “Code” with sandbox escape patterns (e.g.,
process.mainModule.require)
References
For more in-depth information about the recommendations, please visit the following links:
- Ni8mare – Unauthenticated Remote Code Execution in n8n (CVE-2026-21858) | Cyera Research LabsCritical Vulnerability Exposes n8n Instances to Takeover Attacks – SecurityWeek
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
