Maximum‑severity ‘Ni8mare’ flaw exposes n8n to full system compromise

Threat summary

On January 7, 2026, researchers disclosed technical details for a maximum‑severity vulnerability in the n8n workflow automation platform.

The flaw, referred to as Ni8mare and tracked as CVE‑2026‑21858, affects locally deployed instances running versions prior to 1.121.0. The issue stems from how n8n processes incoming data, rather than from a specific workflow. It provides a direct path from an external, unauthenticated request to compromise the automation environment and any systems integrated with it.

The flaw carries a CVSS score of 10.0 because it's exploitable without authentication, requires low attack complexity, and could result in full compromise of the host system.

The disclosure of CVE‑2026‑21858 follows several other high‑impact vulnerabilities publicized in the past few weeks, including:

• CVE‑2026‑21877, with a CVSS score of 10.0, affects versions 0.123.0 through 1.121.2 in both self‑hosted and cloud‑hosted deployments and allows any authenticated user to execute code on the underlying host. The privileges needed for exploitation are minimal, the attack complexity is low, and exploitation could result in complete system compromise.
• CVE‑2025‑68613, with a CVSS score of 9.9, involves improper control of dynamically managed code resources and allows authenticated attackers to achieve remote code execution under certain conditions; this issue was fixed in versions 1.120.4, 1.121.1, and 1.122.0.
• CVE‑2025‑68668, known as N8scape and also rated 9.9, allows an authenticated user with permission to create or modify workflows to execute arbitrary commands on the host system; this vulnerability was fixed in version 2.0.0.

These vulnerabilities differ in their initial access requirements, but all ultimately provide a path to full system compromise when exploited.

Insights & mitigations

n8n is an open‑source workflow automation platform used to integrate internal systems, cloud services, and third‑party APIs. Its widespread adoption and deep integration into operational workflows increase the potential impact of exploitation. Compromise of an n8n instance can expose credentials, connected systems, and sensitive data flows.

The impact extends to any organization using n8n to automate workflows that interact with sensitive systems. The worst‑case scenario involves full system compromise and unauthorized access to connected services.

Upgrading to the latest n8n version is recommended; no workarounds are available. Reducing external exposure of n8n instances, isolating automation infrastructure from sensitive internal systems, and monitoring workflow activity for anomalous behavior can reduce risk.

Field Effect MDR reduces the impact of threats like the n8n vulnerabilities by continuously monitoring for behaviors such as unexpected process activity on automation servers, abnormal file access, misuse of credentials stored in workflows, and lateral movement attempts that typically occur after an attacker gains control of an automation platform. Because MDR correlates endpoint, network, and identity signals, it can quickly identify when an n8n instance begins executing workflows or accessing systems in ways that deviate from its normal patterns, even if the initial exploit is silent.

Further, Field Effect MDR users will be alerted via ARO if vulnerable systems are detected in their environment, providing clear guidance on steps recommended to mitigate the threat.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up