On January 7, 2026, n8n disclosed a critical vulnerability tracked as CVE-2026-21858 (CVSS 10.0), dubbed “Ni8mare” (often referenced as “N8MARE”). The issue can allow an unauthenticated remote attacker to access files on the underlying server when certain form-based workflows are exposed.
Depending on what’s stored on the instance and how it’s deployed, this can cascade into credential theft, session/token forgery, and even full instance compromise.
Affected Versions
CVE-2026-21858 affects self-hosted / locally deployed n8n instances running version ≤ 1.65.0. The fixed version is 1.121.0. Aside from patching, there are no official workarounds. Temporary mitigation is limiting or turning off public webhook/form endpoints.
Technical Overview
Ni8mare is described as a Content-Type confusion / improper request parsing issue in how n8n processes certain webhook + form-based requests.
n8n chooses parsing logic based on the request Content-Type. Under specific conditions, an attacker can manipulate how the request is parsed so that file-related fields are processed unsafely, enabling arbitrary file access on the server.
n8n classifies the weakness under CWE-20 (Improper Input Validation).
Exploitation Conditions
You should treat this as highest urgency if any of these are true:
- Your n8n instance is internet-facing
- You use webhooks or forms that are reachable without authentication
- You have workflows where external users submit data/files via a form and the workflow processes that content
- Your instance stores high-value credentials (OAuth, API keys) or has privileged network access
n8n’s advisory is explicit that exploitation depends on “certain form-based workflows” being vulnerable/exposed.
Remediation Guidance
If you self-host n8n:
- Patch immediately: upgrade to n8n 1.121.0 or later. GitHub
- Temporarily reduce exposure: restrict/disable publicly accessible webhook and form endpoints until you patch.
- Assume secrets may be exposed if your instance was internet-facing and used forms/webhooks. Prioritize rotating:
- n8n encryption/secret keys, auth/session secrets
- OAuth tokens/API keys stored in credentials
- DB credentials, cloud keys, CI/CD secrets referenced by workflows
- n8n encryption/secret keys, auth/session secrets
- Hunt for suspicious webhook/form traffic and unusual workflow executions (details below).
Context: N8n Has Had Multiple Critical Bugs Recently
Ni8mare lands amid a wave of critical n8n issues disclosed in late 2025 / early 2026, including CVE-2025-68613 (CVSS 9.9) and others. This increases the chance that attackers will actively probe n8n instances and chain weaknesses where possible.
Stay Safe. Stay Secure.
OP Innovate Research Team
