{"id":4061,"date":"2026-01-11T10:39:13","date_gmt":"2026-01-11T10:39:13","guid":{"rendered":"http:\/\/ft365.org\/index.php\/2026\/01\/11\/maximum-severity-ni8mare-bug-lets-hackers-hijack-n8n-servers\/"},"modified":"2026-01-11T10:39:13","modified_gmt":"2026-01-11T10:39:13","slug":"maximum-severity-ni8mare-bug-lets-hackers-hijack-n8n-servers","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2026\/01\/11\/maximum-severity-ni8mare-bug-lets-hackers-hijack-n8n-servers\/","title":{"rendered":"Maximum Severity \u201cNi8mare\u201d Bug Lets Hackers Hijack n8n Servers"},"content":{"rendered":"
\n

\"Photo<\/p>\n<\/div>\n

\n

Security experts have warned of a critical new vulnerability in popular AI workflow automation platform n8n that could enable adversaries to take over locally deployed instances and compromise enterprise secrets.<\/p>\n

Cyera revealed the \u201cNi8mare\u201d vulnerability (CVE-2026-21858) in a blog post yesterday. It has a CVSS score of 10.0, reflecting the fact that remote, unauthenticated hackers can exploit the bug with potentially severe consequences.<\/p>\n

The n8n platform has over 100 million Docker pulls and millions of users, with 100,000 servers potentially exposed, Cyera said.<\/p>\n

However, because it plays such an important role in enterprise automation efforts \u2013 connecting to Google Drive, Salesforce, OpenAI, CI\/CD pipelines, payment processors and more \u2013 the blast radius of a compromised server could be \u201cmassive,\u201d the vendor warned.<\/p>\n

\u201cImagine a large enterprise with 10,000+ employees with one n8n server that anyone uses. A compromised n8n instance doesn\u2019t just mean losing one system \u2013 it means handing attackers the keys to everything,\u201d Cyera explained.<\/p>\n

\u201cAPI credentials, OAuth tokens, database connections, cloud storage \u2013 all centralized in one place. N8n becomes a single point of failure and a goldmine for threat actors.\u201d<\/p>\n

Read more on maximum severity bugs: Ransomware Warning as CVSS 10.0 ScreenConnect Bug is Exploited<\/em><\/p>\n

There are no official workarounds available for Ni8mare, with users urged to upgrade to version 1.121.0 or later to remediate.<\/p>\n

According to the official advisory, the vulnerability enables threat actors to access files on an affected server through execution of certain form-based workflows.<\/p>\n

\u201cA vulnerable workflow could grant access to an unauthenticated remote attacker, resulting in exposure of sensitive information stored on the system and may enable further compromise depending on deployment configuration and workflow usage,\u201d it noted.<\/p>\n

How it Works<\/h2>\n

The vulnerability relates to the webhooks that\u00a0start workflows in n8n. The platform parses incoming data based on the \u201ccontent-type\u201d header in a webhook.<\/p>\n

When a request is \u201cmultipart\/form-data\u201d the platform uses a special file upload parser (Formidable) which stores the files in temporary locations. It does this to protect against path traversal attacks. However, for all other content types, a regular parser is used.<\/p>\n

\u201cHere\u2019s what matters: the file upload parser wraps Formidable\u2019s parse() function,\u201d explained Cyera.<\/p>\n

\u201cUnlike the regular body parser that populates req.body, this one populates req.body.files with the output from Formidable.\u201d<\/p>\n

If a threat actor were to change the content type to something like application\/json, the n8n middleware would call the regular parser instead of the special file upload parser. This means req.body.files wouldn\u2019t be populated.<\/p>\n

Thus,\u00a0n8n would process\u00a0file-related fields without verifying that the request contains a valid file upload, meaning an attacker could control the file metadata and file path.<\/p>\n

\u201cHere\u2019s the issue: since this function is called without verifying the content type is multipart\/form-data, we control the entire req.body.files object. That means we control the filepath parameter\u200a \u2013 so instead of copying an uploaded file, we can copy any local file from the system,\u201d Cyera explained.<\/p>\n

\u201cThe result? Any node after the Form node receives the local file\u2019s content instead of what the user uploaded.\u201d<\/p>\n

The vulnerability can therefore be used to read arbitrary files from an n8n instance, and in turn expose secrets, inject files into workflows, forge session cookies for authentication bypass\u00a0and achieve arbitrary code execution, the report warned.<\/p>\n

Cyera thanked the security team at n8n for its prompt response in patching the flaw, which was reported on November 9 and fixed nine days later.<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"

Security experts have warned of a critical new vulnerability in popular AI workflow automation platform n8n that could enable adversaries to take over locally deployed instances and compromise enterprise secrets. Cyera revealed the \u201cNi8mare\u201d vulnerability (CVE-2026-21858) in a blog post yesterday. It has a CVSS score of 10.0, reflecting the fact that remote, unauthenticated hackers<\/p>\n","protected":false},"author":2,"featured_media":4062,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-4061","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4061-31f437f6-56e4-4c0c-a4f7-66f00f16d803.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4061-31f437f6-56e4-4c0c-a4f7-66f00f16d803-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4061-31f437f6-56e4-4c0c-a4f7-66f00f16d803.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4061-31f437f6-56e4-4c0c-a4f7-66f00f16d803.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4061-31f437f6-56e4-4c0c-a4f7-66f00f16d803.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4061-31f437f6-56e4-4c0c-a4f7-66f00f16d803.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4061-31f437f6-56e4-4c0c-a4f7-66f00f16d803.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4061-31f437f6-56e4-4c0c-a4f7-66f00f16d803.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4061-31f437f6-56e4-4c0c-a4f7-66f00f16d803.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4061-31f437f6-56e4-4c0c-a4f7-66f00f16d803.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4061-31f437f6-56e4-4c0c-a4f7-66f00f16d803-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/4061","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=4061"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/4061\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/4062"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=4061"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=4061"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=4061"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}