Cybersecurity researchers have disclosed details of yet another maximum-severity security flaw in n8n, a popular workflow automation platform, that allows an unauthenticated remote attacker to gain complete control over susceptible instances.
The vulnerability, tracked as CVE-2026-21858 (CVSS score: 10.0), has been codenamed Ni8mare by Cyera Research Labs. Security researcher Dor Attias has been acknowledged for discovering and reporting the flaw on November 9, 2025.
"A vulnerability in n8n allows an attacker to access files on the underlying server through execution of certain form-based workflows," n8n said in an advisory published today. "A vulnerable workflow could grant access to an unauthenticated remote attacker. This could result in exposure of sensitive information stored on the system and may enable further compromise depending on deployment configuration and workflow usage."
With the latest development, n8n has disclosed four critical vulnerabilities over the last two weeks -
- CVE-2025-68613 (CVSS score: 9.9) - An improper control of dynamically-managed code resources that could allow authenticated attackers to achieve remote code execution (RCE) under certain conditions (Fixed in versions 1.120.4, 1.121.1, and 1.122.0)
- CVE-2025-68668 or N8scape (CVSS score: 9.9) - A sandbox bypass vulnerability that could allow an authenticated user with permission to create or modify workflows to execute arbitrary commands on the host system running n8n (Fixed in version 2.0.0)
- CVE-2026-21877 (CVSS score: 10.0) - An unrestricted upload of a file with a dangerous type vulnerability that could allow an authenticated attacker to execute untrusted code via the n8n service, leading to full compromise of the instance (Fixed in version 1.121.3)
However, unlike these flaws, CVE-2026-21858 does not require any credentials and takes advantage of a "Content-Type" confusion flaw to extract sensitive secrets, forge administrator access, and even execute arbitrary commands on the server.