Overview
- CVE-2026-21858, dubbed Ni8mare, lets remote attackers without credentials read local files, bypass authentication, and execute commands on vulnerable n8n instances.
- n8n says the issue is fixed in version 1.121.0, and users should upgrade immediately, avoid internet exposure for instances, and require authentication for Forms.
- Researchers explain the flaw stems from Content-Type confusion in webhook and form handling that allows control of req.body.files, enabling arbitrary file access.
- Cyera outlines a chain from reading the SQLite database and config to forging an admin session cookie and deploying a workflow that achieves remote code execution.
- Separately, n8n disclosed another maximum‑severity issue, CVE-2026-21877, allowing authenticated RCE fixed in 1.121.3, and Cyera estimates over 100,000 servers may be at risk.