A critical remote code execution vulnerability in the n8n workflow automation platform, identified as CVE-2026-21858, is being actively exploited in the wild. This flaw, which has been assigned a maximum CVSS score of 10, allows unauthenticated attackers to execute arbitrary code on affected servers. The vulnerability affects versions starting with 1.65.0 and below 1.121.0 of n8n.
The vulnerability stems from improper input validation, categorized under CWE-20, which enables attackers to exploit certain form-based workflows to access files on the underlying server. This can lead to unauthorized access and potentially full control over the compromised system. The flaw was disclosed on January 7, 2026, and was reportedly exploited within just one day of its disclosure, highlighting the urgency for organizations to address this issue.
Security researchers have confirmed the availability of at least one exploit and 13 proof-of-concept scripts, which further increases the risk of widespread exploitation. The vulnerability has been dubbed "Ni8mare" due to its severe impact and ease of exploitation.
Organizations using the affected versions of n8n are strongly advised to upgrade to version 1.121.0 or later to mitigate the risk. Given the critical nature of the vulnerability and its active exploitation, the Stakeholder-Specific Vulnerability Categorization (SSVC) has marked this as an "attend" issue, indicating immediate attention is required.
Defenders should prioritize patching affected systems and review their network logs for any signs of compromise. Additionally, implementing network segmentation and least privilege access controls can help limit the potential impact of an exploit. As the vulnerability is being actively targeted, organizations should remain vigilant and monitor for any updates or additional guidance from security vendors and the n8n development team.
CSURFACE