On January 7, 2026, fixes were released for a maximum severity vulnerability (CVE-2026-21858) impacting n8n, a workflow automation application primarily used with artificial intelligence. Labeled “Ni8mare” by the researchers who discovered it, the vulnerability allows unauthenticated remote threat actors to take over locally deployed instances via publicly accessible webhook and form endpoints.
The vulnerability can be exploited by bypassing the file upload parser through a non-multipart content type, granting control over file metadata, including file paths. This enables arbitrary local file read and injection into workflows, exposing sensitive data (such as API keys, OAuth tokens, database credentials, and session cookies). In some deployments, this may also lead to authentication bypass or arbitrary command execution, depending on configuration and workflow usage.
While exploitation of CVE-2026-21858 has not been observed at the time of this writing, threat actors are likely to gain interest in this vulnerability due to its widespread use (an estimated ~100,000 servers globally are impacted by this vulnerability) and the level of access that could be obtained upon compromise.
Recommendations for CVE-2026-21858
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version.
| Product | Affected Version | Fixed Version |
| n8n |
|
1.121.0 or later |
Please follow your organization’s patching and testing guidelines to minimize potential operational impact.
Workaround (Optional)
- For users unable to apply the patch, n8n developers recommend restricting or disabling publicly accessible webhook and form endpoints as a temporary mitigation until the upgrade is completed.
References
