The open-source workflow automation platform n8n has become the focus of intense security scrutiny after researchers disclosed details of four critical vulnerabilities in recent weeks. Two flaws received the maximum CVSS score of 10.0, including the most severe issue, Ni8mare (CVE-2026-21858), which enables full remote takeover of an n8n instance without any authentication.
Why n8n Is a High-Value Target for Attackers
n8n is a popular no-code/low-code workflow automation platform that connects applications, APIs, and services through a visual editor. It is widely used for AI orchestration — managing LLM workflows, running AI agents, and building RAG pipelines. The ecosystem reports more than 50,000 weekly downloads on npm and over 100 million pulls on Docker Hub, making n8n an attractive and widely exposed attack surface.
The main security concern is the type of data n8n typically manages. Instances often store highly sensitive infrastructure secrets: API keys, OAuth tokens, database credentials, cloud access keys, and CI/CD secrets. As researchers from Cyera note, compromise of such an instance effectively hands an attacker the “keys to the entire environment”, not just to a single application.
Ni8mare (CVE-2026-21858): Unauthenticated Takeover via Content-Type Confusion
Ni8mare (CVSS: 10.0) allows an unauthenticated attacker to access arbitrary files on the n8n server and, in many real-world scenarios, escalate this to remote code execution (RCE). The exploit abuses how n8n handles webhook and form-based workflows and relies on a classic content-type confusion issue.
n8n uses two separate parsers for incoming webhook requests. Requests with multipart/form-data are handled by a dedicated file-upload parser that includes protections against path traversal. Other content types, such as application/json, are processed by a standard body parser that does not apply the same file path safeguards.
Researchers demonstrated that by sending a request with Content-Type: application/json while supplying fields that n8n expects to be files, an attacker can gain full control over the req.body.files object. This makes it possible to inject and manipulate file metadata, including the file path, and effectively turn a benign upload flow into an arbitrary file read primitive on the local filesystem.
Through this technique, an attacker can read configuration files, logs, databases, and cryptographic keys, then use the stolen data to forge cookies, bypass authentication, and ultimately chain the flaw into RCE and complete instance takeover. According to the vendor, Ni8mare affects all n8n builds up to and including 1.65.0 and is patched in 1.121.0 (released 18 November 2025). There is no full workaround; administrators are advised to disable or strictly restrict public webhooks and form endpoints until patches are applied.
Other Critical n8n Vulnerabilities Enabling Remote Code Execution
CVE-2026-21877: Unsafe File Uploads Leading to Code Execution
CVE-2026-21877 (CVSS: 10.0) is another critical file upload vulnerability in n8n. Under certain conditions, an authenticated user can upload and execute malicious code through n8n, resulting in full compromise of the instance. The issue affects versions from 0.123.0 up to but not including 1.121.3 and is fixed in 1.121.3.
Until the update is installed, security teams should disable the Git node and restrict access for untrusted users, especially in multi-tenant and SaaS deployments where one compromised tenant can impact others.
N8scape (CVE-2025-68668): Escaping the Pyodide Python Sandbox
The vulnerability known as N8scape (CVE-2025-68668, CVSS: 9.9) targets the Python Code Node, which historically ran Python via Pyodide in a sandboxed environment. An authenticated user with permission to create or modify workflows can bypass the sandbox and execute commands on the host system with the privileges of the n8n process.
Versions 1.0.0 through 2.0.0 (excluding 2.0.0) are affected. Starting with 2.0.0, n8n enables a native Python implementation based on a task runner, first introduced as an optional feature in 1.111.0, significantly strengthening isolation of Python code execution.
CVE-2025-68613: Improper Control of Dynamically Managed Code (RCE)
CVE-2025-68613 (CVSS: 9.9) is described as improper control of dynamically managed code resources. In specific configurations, authenticated users can exploit this weakness to achieve remote code execution. Patches are available in versions 1.120.4, 1.121.1, and 1.122.0. Internet-wide scans by Censys indicated that by late December 2025 there were more than 100,000 potentially vulnerable n8n deployments still exposed.
Global Exposure and Impact on AI and DevOps Infrastructure
Censys identified over 26,000 n8n hosts directly reachable from the internet. The largest concentrations are in the United States (7,079), Germany (4,280), France (2,655), Brazil (1,347), and Singapore (1,129). The true number of installations is higher when instances behind VPNs, reverse proxies, and private networks are considered.
Because n8n often acts as an integration bus between databases, message queues, source code repositories, CI/CD pipelines, and cloud platforms, its compromise gives attackers a powerful pivot point. This turns a single workflow automation breach into a strategic entry vector for attacking an organization’s entire DevOps and AI infrastructure.
Security Best Practices for Protecting n8n Instances
Administrators and DevOps teams should prioritize upgrading n8n to secure versions as a matter of urgency. At minimum, instances should run 1.121.3 or later to address Ni8mare and CVE-2026-21877, and 2.0.0 or later to mitigate N8scape. Ensure that fixes for CVE-2025-68613 (1.120.4, 1.121.1, 1.122.0) are also in place.
In addition to patching, organizations should avoid exposing n8n directly to the public internet. Recommended controls include placing n8n behind a VPN, reverse proxy, or Zero Trust gateway, enabling authentication for all form and webhook endpoints, enforcing least-privilege roles for users, and regularly reviewing and rotating secrets stored in n8n whenever compromise is suspected.
As automation and AI orchestration platforms like n8n become foundational to modern operations, they must be treated as critical infrastructure components. Regular configuration audits, penetration testing of automation stacks, centralized secret management, and monitoring of anomalous workflow activity can drastically reduce the risk that the next major attack campaign begins with a compromised workflow automation platform.
