Critical n8n Vulnerability (CVSS 10.0) Allows Unauthenticated Server Takeover
These articles are AI-generated summaries. Please check the original sources for full details.
Critical n8n Vulnerability (CVSS 10.0) Allows Unauthenticated Server Takeover
A critical vulnerability (CVE-2026-21858) has been discovered in n8n, a workflow automation platform, enabling unauthenticated remote attackers to achieve full server control. Discovered by Dor Attias and reported November 9, 2025, the flaw, nicknamed “Ni8mare”, carries a CVSS score of 10.0, representing the highest possible severity.
Why This Matters
Modern automation platforms like n8n often centralize access to sensitive data and systems. The ideal model assumes robust security, but vulnerabilities like CVE-2026-21858 demonstrate a critical gap. A successful exploit could lead to complete compromise of the n8n instance, potentially exposing API credentials, OAuth tokens, and database connections, resulting in significant data breaches and financial losses for organizations relying on the platform. Censys currently observes over 26,500 exposed n8n instances.
Key Insights
- CVSS 10.0: This indicates the highest level of severity, meaning a remotely exploitable vulnerability with no authentication required, leading to complete system compromise.
- Content-Type Confusion: The vulnerability stems from improper handling of the “Content-Type” header, allowing attackers to bypass security checks.
- n8n’s Recent Vulnerabilities: n8n has disclosed four critical vulnerabilities in the last two weeks, highlighting a potential pattern of security concerns within the platform.
Working Example
(No code example available in context)
Practical Applications
- Use Case: A marketing team uses n8n to automate lead generation, storing API keys for various marketing tools within the platform. A successful exploit could grant attackers access to these keys, enabling them to compromise the marketing team’s entire workflow.
- Pitfall: Exposing n8n instances directly to the internet without proper authentication is a common misconfiguration that significantly increases the risk of exploitation.
Continue reading
Next article
DDoSia Powers Affiliate-Driven Hacktivist Attacks
Related Content
Critical n8n Flaw (CVSS 9.9) Enables Arbitrary Code Execution
A critical n8n vulnerability (CVE-2025-68613, CVSS 9.9) allows authenticated users to execute arbitrary code, impacting over 100,000 instances.
CSA Issues Alert on Critical SmarterMail Bug Allowing Remote Code Execution
Singapore’s CSA warns of a CVSS 10.0 SmarterMail vulnerability enabling unauthenticated remote code execution via file upload; a patch is now available.
Critical LangChain Core Vulnerability Exposes Secrets via Serialization Injection
A critical LangChain Core vulnerability (CVE-2025-68664, CVSS 9.3) allows secret theft and prompt injection through unsafe serialization.