🔥
12d • General Discussion
Critical n8n Vulnerability Affects Self Hosted Instances Versions 1.65.0 to 1.120.4 CVE 2026 21858
VIBE CODERS: CHECK YOUR N8N ACCOUNT IF YOU’RE SELF-HOSTING YOUR N8N
Critical Vulnerability: CVE-2026-21858 (Ni8mare)
Public disclosure: January 9, 2036
N8N notified: mid-November, 2025
**n8n instances hosted and managed directly by n8n are not affected. CVE-2026-21858, nicknamed Ni8mare, affects self-hosted n8n instances 1.65.0 through 1.120.4, and carries a CVSS severity score of 10.0.**
26,512 Actively Exposed Self-Hosts: Real-time scanning data from Censys in early January identified 26,512 n8n instances currently reachable via the public internet. These specific hosts are at the highest immediate risk of exploitation because they can be targeted by unauthenticated remote requests.
According to Cyera Research Labs, with analysis and reporting published by n8n (official security advisory), The Hacker News, Censys, Security Affairs, and CSO Online, a critical security vulnerability identified as CVE-2026-21858, nicknamed Ni8mare, affects self-hosted n8n instances 1.65.0 through 1.120.4, and carries a CVSS severity score of 10.0.
If you are running a self-hosted n8n instance, you should immediately determine whether you are affected by this vulnerability and take corrective action.
If:
• Your n8n instance is self-hosted (Docker, VPS, cloud VM, on-prem)
• Your n8n version is earlier than 1.121.0
• The instance is reachable from the internet (webhooks, forms, or direct UI access)
Go to:
In the n8n dashboard, go to Help → About and confirm the version number
Or on the server, run: n8n –version
If the version is below 1.121.0, your instance is vulnerable and must be updated immediately.
Immediate remediation steps:
- Upgrade n8n to version 1.121.0 or later without delay.
- If the instance is publicly accessible, temporarily restrict external access to webhooks or forms until the upgrade is complete.
- After upgrading, rotate sensitive credentials such as API keys, tokens, database passwords, and OAuth secrets as a precaution.
Common upgrade paths:
Docker: docker pull n8nio/n8n:latest, stop the existing container, and restart using the updated image
npm: npm install -g n8n@latest
How to check if something may have gone wrong:
• Review workflows for unexpected changes or newly created workflows
• Inspect execution history for unfamiliar runs, nodes, or command executions
• Check for unknown admin users or active sessions
• Review server logs for unexpected file access or command execution activity
If suspicious activity is found, assume potential compromise and rotate credentials immediately.
Overview:
CVE-2026-21858, commonly referred to as Ni8mare, is a critical security vulnerability affecting the n8n automation platform. The issue was publicly disclosed January 9, 2026 and assigned a CVSS severity score of 10.0, the highest possible rating.
The vulnerability allows unauthenticated attackers to potentially gain full control of affected n8n servers under specific conditions.
Who is affected:
This vulnerability affects self-hosted n8n instances running versions 1.65.0 through 1.120.4, formally expressed as versions greater than or equal to 1.65.0 and less than 1.121.0.
Again: n8n instances hosted and managed directly by n8n are not affected.
Risk is highest for instances that:
• Are accessible from the public internet
• Use webhooks or form-based workflows
• Store API keys, credentials, or automation secrets
What the vulnerability allows:
At a high level, the vulnerability relates to how n8n processes certain web requests.
If exploited, an attacker may be able to:
- Send a specially crafted request to an exposed n8n endpoint
- Access internal files due to request parsing behavior
- Extract stored secrets and encryption keys
- Forge an administrative session
- Execute arbitrary commands on the host server
This can result in unauthorized workflow changes, access to connected services, and full compromise of the underlying system.
Severity and impact:
This vulnerability is considered critical because no authentication is required to begin exploitation, exploitation can lead to full system takeover, and n8n often acts as a central automation hub with access to multiple external systems.
Remediation:
n8n has released a fix in version 1.121.0. All self-hosted users should upgrade to version 1.121.0 or later as soon as possible.
After upgrading, verify the running version to confirm the fix has been applied.
Additional precautions:
If your n8n instance was publicly accessible before patching, it is recommended to rotate API keys and credentials, restrict or firewall public access to webhooks and forms, and review logs and workflow history for anomalies.
Summary:
CVE-2026-21858 (Ni8mare)
Severity: Critical (CVSS 10.0)
Affected: Self-hosted n8n versions earlier than 1.121.0
Risk: Potential full server compromise
Fix: Upgrade to 1.121.0 or later
Common upgrade paths:
Docker: docker pull n8nio/n8n:latest, stop the existing container, and restart using the updated image
npm: npm install -g n8n@latest
Sources and further information:
• n8n official security advisory (GitHub Security Advisory for CVE-2026-21858)
• Cyera Research Labs: Ni8mare research disclosure
• The Hacker News coverage of the Ni8mare vulnerability
• Censys advisory and exposure analysis for CVE-2026-21858
• Security Affairs and CSO Online technical reporting on the exploitation chain
This issue should be treated as a high-priority security update for anyone operating self-hosted n8n in production.
12
5 comments
Critical n8n Vulnerability Affects Self Hosted Instances Versions 1.65.0 to 1.120.4 CVE 2026 21858
skool.com/the-ai-advantage
Founded by Tony Robbins, Dean Graziosi & Igor Pogany - AI Advantage is your go-to hub to simplify AI and confidently unlock real & repeatable results
Leaderboard (30-day)
1
🔥
+338
2
+305
3
+279
4
+193
5
+189
Powered by