Security researchers have disclosed a critical vulnerability in n8n, a popular open-source workflow automation platform, that could allow unauthenticated remote code execution.
Critical Vulnerability
CVE-2026-21858 (CVSS 10.0), codenamed “Ni8mare” by Cyera Research Labs, is a critical vulnerability that could allow unauthenticated attackers to execute arbitrary code on n8n servers.
The vulnerability exists in how n8n processes certain workflow inputs, enabling attackers to inject malicious code that gets evaluated by the server.
Impact
Successful exploitation could allow attackers to:
- Execute arbitrary commands on the server
- Access sensitive workflow data and credentials
- Pivot to connected systems and APIs
- Exfiltrate data from automated processes
- Disrupt business operations
n8n Usage Context
n8n is widely used for:
- Business process automation
- Data integration between services
- CI/CD pipeline orchestration
- Monitoring and alerting workflows
- API integrations
Many n8n instances connect to sensitive systems including databases, cloud services, and internal APIs—making compromise particularly damaging.
Remediation
Organizations using n8n should:
- Update immediately to the latest patched version
- Review workflow logs for suspicious activity
- Audit connected credentials and rotate if necessary
- Restrict network access to n8n instances
- Implement input validation in custom workflows
Broader Automation Security
This vulnerability highlights risks in workflow automation platforms:
- Automation tools often have broad access to systems
- They frequently store sensitive credentials
- Custom workflows may introduce vulnerabilities
- Self-hosted instances may lag behind security updates
Organizations should treat automation platforms as critical infrastructure requiring regular security assessment.