Security experts have warned of a critical new vulnerability in popular AI workflow automation platform n8n that could enable adversaries to take over locally deployed instances and compromise enterprise secrets.
Cyera revealed the “Ni8mare” vulnerability (CVE-2026-21858) in a blog post yesterday. It has a CVSS score of 10.0, reflecting the fact that remote, unauthenticated hackers can exploit the bug with potentially severe consequences.
The n8n platform has over 100 million Docker pulls and millions of users, with 100,000 servers potentially exposed, Cyera said.
However, because it plays such an important role in enterprise automation efforts – connecting to Google Drive, Salesforce, OpenAI, CI/CD pipelines, payment processors and more – the blast radius of a compromised server could be “massive,” the vendor warned.
“Imagine a large enterprise with 10,000+ employees with one n8n server that anyone uses. A compromised n8n instance doesn’t just mean losing one system – it means handing attackers the keys to everything,” Cyera explained.
“API credentials, OAuth tokens, database connections, cloud storage – all centralized in one place. N8n becomes a single point of failure and a goldmine for threat actors.”
Read more on maximum severity bugs: Ransomware Warning as CVSS 10.0 ScreenConnect Bug is Exploited
There are no official workarounds available for Ni8mare, with users urged to upgrade to version 1.121.0 or later to remediate.
According to the official advisory, the vulnerability enables threat actors to access files on an affected server through execution of certain form-based workflows.
“A vulnerable workflow could grant access to an unauthenticated remote attacker, resulting in exposure of sensitive information stored on the system and may enable further compromise depending on deployment configuration and workflow usage,” it noted.
How it Works
The vulnerability relates to the webhooks that start workflows in n8n. The platform parses incoming data based on the “content-type” header in a webhook.
When a request is “multipart/form-data” the platform uses a special file upload parser (Formidable) which stores the files in temporary locations. It does this to protect against path traversal attacks. However, for all other content types, a regular parser is used.
“Here’s what matters: the file upload parser wraps Formidable’s parse() function,” explained Cyera.
“Unlike the regular body parser that populates req.body, this one populates req.body.files with the output from Formidable.”
If a threat actor were to change the content type to something like application/json, the n8n middleware would call the regular parser instead of the special file upload parser. This means req.body.files wouldn’t be populated.
Thus, n8n would process file-related fields without verifying that the request contains a valid file upload, meaning an attacker could control the file metadata and file path.
“Here’s the issue: since this function is called without verifying the content type is multipart/form-data, we control the entire req.body.files object. That means we control the filepath parameter – so instead of copying an uploaded file, we can copy any local file from the system,” Cyera explained.
“The result? Any node after the Form node receives the local file’s content instead of what the user uploaded.”
The vulnerability can therefore be used to read arbitrary files from an n8n instance, and in turn expose secrets, inject files into workflows, forge session cookies for authentication bypass and achieve arbitrary code execution, the report warned.
Cyera thanked the security team at n8n for its prompt response in patching the flaw, which was reported on November 9 and fixed nine days later.
