Free Trial
|
Login
Free Trial
Login
Platform
Platform
I want to
report
WHITEPAPER Picus Red Report 2025
white paper
DATASHEET Security Validation Platform
Use Cases
Use Cases
Frameworks
Industry
Group
WHITEPAPER Building a Robust Defense-in-Depth Strategy with Breach and Attack Simulation (BAS)
Paper Icons
E-BOOK An Introduction to Exposure Validation
Research
RESEARCH
LEARNING
whitepaper
Whitepaper Modernize Your SOC with Breach and Attack Simulation
report (1)
REPORT Blue Report: Effective Threat Exposure Management
Resources
RESOURCES
LEARNING
Group
WHITEPAPER Double Your Threat Blocking in 90 Days
Paper Icons
E-BOOK An Introduction to Exposure Validation
Company
COMPANY
PARTNERS
webinar
WATCH ON-DEMAND: The BAS Summit: Redefining Attack Simulation through AI
Data sheet
DATASHEET The Pioneer of Breach & Attack Simulation
GET A DEMO

Ni8mare: n8n CVE-2026-21858 Remote Code Execution Vulnerability Explained

Huseyin Can YUCEEL | 5 MIN READ

CREATED ON January 08, 2026

On January 7, 2026, n8n disclosed a critical vulnerability that enables unauthenticated attackers to fully compromise locally deployed instances. Tracked as CVE-2026-21858, Ni8mare vulnerability allows attackers to bypass authentication entirely and ultimately achieve remote code execution on the host system. Given n8n’s widespread use as a central automation layer that connects sensitive internal systems and third party services, the vulnerability received a CVSS score of 10.0 (Critical).

In this blog, we explain how the Ni8mare CVE-2026-21858 vulnerability works, and provide practical steps for validation and remediation.

Simulate Vulnerability Exploitation Attacks with 14-Day Free Trial of Picus Platform

Ni8mare CVE-2026-21858 Vulnerability Explained

n8n is an open source workflow automation platform designed to help organizations connect applications, automate processes, and orchestrate data flows with minimal friction. Because of its flexibility, n8n is often used as a central automation layer that bridges internal systems and external APIs. This central role means n8n instances frequently hold credentials, tokens, and access paths to critical business infrastructure. While n8n includes authentication and security controls, its extensible design and reliance on webhooks and user supplied input make secure request handling essential to maintaining its overall trust boundary.

On January 7, 2026, n8n issued a security advisory for a critical vulnerability identified as CVE-2026-21858 [1]. The vulnerability can be described as a content type confusion vulnerability that leads to unauthenticated remote code execution. CVE-2026-21858 has a CVSS score of 10.0 (Critical) and affects versions 1.121.0 and prior.

How Does the Ni8Mare CVE-2026-21858 Exploit Work?

  • Request Parsing and Content Type Handling

Ni8mare is a critical application logic vulnerability rooted in how n8n processes incoming webhook requests [2]. At the entry point, all webhook requests pass through a shared execution flow that invokes a function called parseRequestBody() that is responsible for request parsing. This function inspects the Content Type header to decide which parsing routine to apply. If the request is marked as multipart form data, parseRequestBody() delegates parsing to parseFormData(), a wrapper around Formidable’s parse function. This path safely handles file uploads by writing them to randomized temporary locations and populating file metadata under req.body.files. For all other content types, parseRequestBody() invokes parseBody(), which directly deserializes the request body and assigns the decoded content to the req.body object without any file handling safeguards.

  • Content Type Confusion and Trust Boundary Breakdown

The Ni8mare vulnerability arises because downstream webhook logic assumes that file handling functions are only reached when parseFormData() has populated req.body.files. In practice, this assumption is not consistently enforced. By sending a request with a non-file content type such as application/json, an attacker forces the parseRequestBody() function to invoke parseBody() instead of parseFormData(). Since parseBody() blindly assigns attacker supplied input to req.body, the attacker can inject a fully controlled files object directly into req.body.files. At this point, internal trust boundaries are already broken, as later execution paths treat this attacker-controlled structure as if it were generated by the trusted file upload parser.

  • Unvalidated File Handling in Form Webhooks

This weakness becomes exploitable in webhook handlers that perform file operations without re-validating the Content Type. A key example is the formWebhook handler, which processes submissions from n8n Form nodes. formWebhook ultimately calls prepareFormReturnItem, a helper function designed to process uploaded files. Inside prepareFormReturnItem, n8n iterates over req.body.files and invokes copyBinaryFile() for each entry. The copyBinaryFile() function reads the file path specified in req.body.files[id].filepath and copies the referenced file into persistent storage, either on disk or in an object store such as S3. Crucially, copyBinaryFile() does not verify that the file originated from a legitimate multipart upload or that the file path was generated by Formidable.

  • Arbitrary File Read via Attacker Controlled File Paths

Because the attacker fully controls req.body.files when parseBody() is used, they can supply arbitrary file paths instead of temporary upload locations. This allows n8n to read any file accessible to the n8n process, effectively creating an arbitrary file read primitive. Attackers can leverage this to extract sensitive local files, including the n8n SQLite database containing user records and the configuration file that stores the instance specific encryption secret used to sign authentication cookies.

  • Authentication Bypass Through Session Forgery

With access to these files, the attack escalates beyond information disclosure. n8n authentication relies on a signed session cookie named n8n auth, which contains a payload derived from user identifiers and a hash of credentials, signed using the local encryption secret. By extracting both the user database and the signing secret through arbitrary file reads, an attacker can forge a valid session cookie and bypass authentication entirely, logging in as an administrative user without knowing any passwords.

  • Remote Code Execution via Workflow Abuse

Once authenticated as an administrator, the final step to remote code execution requires no additional vulnerability. n8n includes built in workflow nodes such as Execute Command that are intended for legitimate automation use cases. An attacker with administrative access can create a new workflow that invokes these nodes, resulting in arbitrary command execution on the host system. The full exploit chain therefore flows from parseRequestBody() and parseBody(), through prepareFormReturnItem and copyBinaryFile(), and ultimately into n8n’s workflow execution engine.

How Picus Helps Simulate Ni8mare CVE-2026-21858 Attacks?

We also strongly suggest simulating the Ni8mare CVE-2026-21858 vulnerability to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Security Validation Platform. You can also test your defenses against other vulnerability exploitation attacks, such as regreSSHion, Citrix Bleed, and Follina, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Ni8mare CVE-2026-21858 vulnerability exploitation attacks:

Threat ID

Threat Name

Attack Module

96110

n8n Web Attack Campaign

Web Application

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trialof the Picus Security Validation Platform.

References

[1] "Unauthenticated File Access via Improper Webhook Request Handling," GitHub. Available: https://github.com/n8n-io/n8n/security/advisories/GHSA-v4pr-fm98-w9pg

[2] "Ni8mare - Unauthenticated Remote Code Execution in n8n (CVE-2026-21858)." Available: https://www.cyera.com/research-labs/ni8mare-unauthenticated-remote-code-execution-in-n8n-cve-2026-21858

Table of Contents

Ready to start? Request a demo
Ni8mare: n8n CVE-2026-21858 Remote Code Execution Vulnerability Explained
Emerging Threat Ni8mare: n8n CVE-2026-21858 Remote Code Execution Vulnerability Explained
Learn More
React Flight Protocol RCE Vulnerability: CVE-2025-55182 and CVE-2025-66478 Explained
Emerging Threat React2Shell RCE Vulnerability: CVE-2025-55182 and CVE-2025-66478 Explained
Learn More
FortiWeb CVE-2025-64446 Vulnerability: Path Traversal Leads to Remote Code Execution
Emerging Threat FortiWeb CVE-2025-64446 Vulnerability: Path Traversal Leads to Remote Code Execution
Learn More
CVE-2025-59287 Explained: WSUS Unauthenticated RCE Vulnerability
Emerging Threat CVE-2025-59287 Explained: WSUS Unauthenticated RCE Vulnerability
Learn More
Earth Krahang APT Group: Global Government Cyberespionage Campaigns (2022–2024) and TTP Analysis
Emerging Threat Earth Krahang APT Group: Global Government Cyberespionage Campaigns (2022–2024) and TTP Analysis
Learn More
WARMCOOKIE: A Technical Deep Dive into a Persistent Backdoor's Evolution
Emerging Threat WARMCOOKIE: A Technical Deep Dive into a Persistent Backdoor's Evolution
Learn More
Lazarus Group (APT38) Explained: Timeline, TTPs, and Major Attacks
Emerging Threat Lazarus Group (APT38) Explained: Timeline, TTPs, and Major Attacks
Learn More
Scattered LAPSUS$ Hunters: 2025's Most Dangerous Cybercrime Supergroup
Emerging Threat Scattered LAPSUS$ Hunters: 2025's Most Dangerous Cybercrime Supergroup
Learn More
F5 Confirms Breach of Internal Systems—Source Code, Customer Data at Risk
Emerging Threat F5 Confirms Breach of Internal Systems—Source Code, Customer Data at Risk
Learn More