Tech News
← Back to articles

Max severity Ni8mare flaw impacts nearly 60,000 n8n instances

2026-01-12 | original
read original related products more articles

Nearly 60,000 n8n instances exposed online remain unpatched against a maximum-severity vulnerability dubbed "Ni8mare."

n8n is an open-source workflow automation platform that allows users to connect different applications and services via pre-built connectors and a visual, node-based interface to automate repetitive tasks without writing code.

The automation platform is widely used in AI development to automate data ingestion and build AI agents and RAG pipelines. It has over 100 million pulls on Docker Hub and over 50,000 weekly downloads on npm.

Since n8n serves as a central automation hub, it often stores API keys, OAuth tokens, database credentials, cloud storage access, CI/CD secrets, and business data, making it an attractive target for threat actors.

Tracked as CVE-2026-21858, this security flaw stems from an improper input validation weakness that allows remote, unauthenticated attackers to take control over locally deployed n8n instances after gaining access to files on the underlying server.

"A vulnerable workflow could grant access to an unauthenticated remote attacker. This could potentially result in exposure of information stored on the system and may enable further compromise depending on deployment configuration and workflow usage," the n8n team explained.

"An n8n instance is potentially vulnerable if it has an active workflow with a Form Submission trigger accepting a file element, and a Form Ending node returning a binary file."

​Cyera researchers who discovered Ni8mare and reported it to n8n in early November said that the vulnerability is a content-type confusion in how n8n parses data, which can be exploited to expose secrets stored on the instance, forge session cookies to bypass authentication, inject sensitive files into workflows, or even execute arbitrary commands.

Over the weekend, the Internet security watchdog group Shadowserver found 105,753 unpatched instances exposed online and 59,558 still exposed on Sunday, with more than 28,000 IPs found in the United States and over 21,000 in Europe.

Vulnerable n8n instances exposed online (Shadowserver)

... continue reading

Related:
Opinion | Britain Really Dislikes Elon Musk
What a new law and an investigation could mean for Grok AI deepfakes
The Unexpected Way Podcasting Made Me a Better Leader and Decision-Maker
Show HN: Pane – An agent that edits spreadsheets
New York wants to regulate Roblox

© 2026 GoKawiil