Critical n8n Vulnerability (CVSS 10.0) Enables Complete

Executive Summary

Cybersecurity researchers at Cyera Research Labs have disclosed details of a maximum-severity security flaw in n8n, a popular open-source workflow automation platform. The vulnerability, tracked as CVE-2026-21858 and codenamed "Ni8mare", allows unauthenticated remote attackers to gain complete control of susceptible instances.

CVSS Score: 10.0 (Maximum Severity)

Vulnerability Overview

Root Cause

The vulnerability originates from a Content-Type confusion flaw in n8n's webhook and file-handling logic. The platform fails to properly validate and sanitize content types in incoming HTTP requests, allowing attackers to manipulate internal state.

Attack Chain

1. Attacker sends crafted HTTP request to webhook endpoint
2. Manipulated content-type bypasses validation
3. Body structure overrides internal state variables
4. Attacker accesses sensitive files (including auth secrets)
5. Admin session forged using stolen credentials
6. Arbitrary code execution achieved on host

Technical Details

Exploitation Method

Attackers can exploit this vulnerability by sending specially crafted HTTP requests:

POST /webhook/vulnerable-endpoint HTTP/1.1
Host: target-n8n-instance.com
Content-Type: multipart/form-data; boundary=--exploit--
 
----exploit--
Content-Disposition: form-data; name="file"; filename="../../../.n8n/config"
Content-Type: application/octet-stream
 
[malicious content]
----exploit----

Impact Assessment

Impact Type	Severity	Description
Confidentiality	Critical	Access to all credentials and secrets
Integrity	Critical	Arbitrary code execution
Availability	Critical	Complete system compromise

Affected Components

Webhook endpoints
File upload handlers
Authentication token storage
Configuration files

Affected Versions

Version	Status
< 1.25.0	Vulnerable
1.25.0+	Patched
Cloud (n8n.cloud)	Patched automatically

Indicators of Compromise

Log Analysis

# Check for exploitation attempts
grep -E "multipart.*\.\./" /var/log/n8n/*.log
grep -E "Content-Type.*confusion" /var/log/n8n/*.log
 
# Unusual file access
find /home/node/.n8n -name "*.log" -mtime -1 -exec grep -l "unauthorized" {} \;

Suspicious Activity Patterns

Unexpected webhook requests with malformed Content-Type headers
Access to configuration files from web processes
New admin users created without authorization
Unusual outbound connections from n8n container

Immediate Remediation

1. Update n8n Immediately

# Docker deployment
docker pull n8nio/n8n:latest
docker-compose down && docker-compose up -d
 
# npm installation
npm update -g n8n
 
# Verify version
n8n --version

2. Network Isolation

# Restrict webhook access
iptables -A INPUT -p tcp --dport 5678 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 5678 -j DROP

3. Rotate All Credentials

# Generate new encryption key
n8n export:credentials --all --decrypted > creds_backup.json
# Update N8N_ENCRYPTION_KEY in environment
# Re-import credentials with new key
n8n import:credentials --input=creds_backup.json

4. Enable Authentication

Ensure basic authentication is enabled:

# Environment variables
export N8N_BASIC_AUTH_ACTIVE=true
export N8N_BASIC_AUTH_USER=admin
export N8N_BASIC_AUTH_PASSWORD=$(openssl rand -base64 32)

Detection Rules

Sigma Rule

title: n8n Ni8mare Exploitation Attempt
id: a1b2c3d4-e5f6-7890-abcd-ef1234567890
status: experimental
description: Detects CVE-2026-21858 exploitation attempts
logsource:
  product: n8n
  service: webhook
detection:
  selection:
    http.request.method: POST
    http.request.headers.content-type|contains: 'multipart'
  filter:
    url.path|contains: '../'
  condition: selection and filter
level: critical
tags:
  - attack.initial_access
  - attack.execution
  - cve.2026.21858

Snort Rule

alert http any any -> any 5678 (
  msg:"n8n CVE-2026-21858 Exploitation Attempt";
  content:"Content-Type|3a|"; nocase;
  content:"multipart"; distance:0;
  content:"../";
  classtype:web-application-attack;
  sid:1000001; rev:1;
)

Vendor Response

Cyera Research Labs followed responsible disclosure:

Date	Action
2026-01-15	Vulnerability discovered
2026-01-16	n8n team notified
2026-01-25	Patch released (v1.25.0)
2026-01-30	Public disclosure

n8n has released version 1.25.0 which fully addresses this vulnerability. All users are strongly urged to update immediately.

References

Google Looker Critical Vulnerabilities
Workflow Automation Security Best Practices

Executive Summary

CVSS Score: 10.0 (Maximum Severity)

Vulnerability Overview

Root Cause

Attack Chain

1. Attacker sends crafted HTTP request to webhook endpoint
2. Manipulated content-type bypasses validation
3. Body structure overrides internal state variables
4. Attacker accesses sensitive files (including auth secrets)
5. Admin session forged using stolen credentials
6. Arbitrary code execution achieved on host

Technical Details

Exploitation Method

Attackers can exploit this vulnerability by sending specially crafted HTTP requests:

POST /webhook/vulnerable-endpoint HTTP/1.1
Host: target-n8n-instance.com
Content-Type: multipart/form-data; boundary=--exploit--
 
----exploit--
Content-Disposition: form-data; name="file"; filename="../../../.n8n/config"
Content-Type: application/octet-stream
 
[malicious content]
----exploit----

Impact Assessment

Impact Type	Severity	Description
Confidentiality	Critical	Access to all credentials and secrets
Integrity	Critical	Arbitrary code execution
Availability	Critical	Complete system compromise

Affected Components

Webhook endpoints
File upload handlers
Authentication token storage
Configuration files

Affected Versions

Version	Status
< 1.25.0	Vulnerable
1.25.0+	Patched
Cloud (n8n.cloud)	Patched automatically

Indicators of Compromise

Log Analysis

# Check for exploitation attempts
grep -E "multipart.*\.\./" /var/log/n8n/*.log
grep -E "Content-Type.*confusion" /var/log/n8n/*.log
 
# Unusual file access
find /home/node/.n8n -name "*.log" -mtime -1 -exec grep -l "unauthorized" {} \;

Suspicious Activity Patterns

Unexpected webhook requests with malformed Content-Type headers
Access to configuration files from web processes
New admin users created without authorization
Unusual outbound connections from n8n container

Immediate Remediation

1. Update n8n Immediately

# Docker deployment
docker pull n8nio/n8n:latest
docker-compose down && docker-compose up -d
 
# npm installation
npm update -g n8n
 
# Verify version
n8n --version

2. Network Isolation

# Restrict webhook access
iptables -A INPUT -p tcp --dport 5678 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 5678 -j DROP

3. Rotate All Credentials

# Generate new encryption key
n8n export:credentials --all --decrypted > creds_backup.json
# Update N8N_ENCRYPTION_KEY in environment
# Re-import credentials with new key
n8n import:credentials --input=creds_backup.json

4. Enable Authentication

Ensure basic authentication is enabled:

# Environment variables
export N8N_BASIC_AUTH_ACTIVE=true
export N8N_BASIC_AUTH_USER=admin
export N8N_BASIC_AUTH_PASSWORD=$(openssl rand -base64 32)

Detection Rules

Sigma Rule

title: n8n Ni8mare Exploitation Attempt
id: a1b2c3d4-e5f6-7890-abcd-ef1234567890
status: experimental
description: Detects CVE-2026-21858 exploitation attempts
logsource:
  product: n8n
  service: webhook
detection:
  selection:
    http.request.method: POST
    http.request.headers.content-type|contains: 'multipart'
  filter:
    url.path|contains: '../'
  condition: selection and filter
level: critical
tags:
  - attack.initial_access
  - attack.execution
  - cve.2026.21858

Snort Rule

alert http any any -> any 5678 (
  msg:"n8n CVE-2026-21858 Exploitation Attempt";
  content:"Content-Type|3a|"; nocase;
  content:"multipart"; distance:0;
  content:"../";
  classtype:web-application-attack;
  sid:1000001; rev:1;
)

Vendor Response

Cyera Research Labs followed responsible disclosure:

Date	Action
2026-01-15	Vulnerability discovered
2026-01-16	n8n team notified
2026-01-25	Patch released (v1.25.0)
2026-01-30	Public disclosure

n8n has released version 1.25.0 which fully addresses this vulnerability. All users are strongly urged to update immediately.

References

Google Looker Critical Vulnerabilities
Workflow Automation Security Best Practices

Affected Products

Executive Summary

Vulnerability Overview

Root Cause

Attack Chain

Technical Details

Exploitation Method

Impact Assessment

Affected Components

Affected Versions

Indicators of Compromise

Log Analysis

Suspicious Activity Patterns

Immediate Remediation

1. Update n8n Immediately

2. Network Isolation

3. Rotate All Credentials

4. Enable Authentication

Detection Rules

Sigma Rule

Snort Rule

Vendor Response

References

Related Articles

Affected Products

Executive Summary

Vulnerability Overview

Root Cause

Attack Chain

Technical Details

Exploitation Method

Impact Assessment

Affected Components

Affected Versions

Indicators of Compromise

Log Analysis

Suspicious Activity Patterns

Immediate Remediation

1. Update n8n Immediately

2. Network Isolation

3. Rotate All Credentials

4. Enable Authentication

Detection Rules

Sigma Rule

Snort Rule

Vendor Response

References

Related Articles