'Ni8mare' vulnerability affects n8n platform with a score of 10.0

'Ni8mare' vulnerability affects n8n platform with a score of 10.0

Briefly

"The vulnerability arises from a so-called "Content-Type Confusion" in n8n's webhook processing. Webhooks are the starting point for workflows and capture incoming data from forms, chat messages, and WhatsApp notifications. By manipulating the Content-Type header, an attacker can overwrite the req.body.files variable and thus read arbitrary files from the system. The researchers demonstrated how the vulnerability can escalate to Remote Code Execution."

"In Docker installations, crucial files such as the SQLite database (/home/node/.n8n/database.sqlite) and configuration files (/home/node/.n8n/config) are stored locally on the disk. An attacker can read these files via the Content-Type Confusion bug. The attacker extracts user IDs, email addresses, and hashed passwords from the database. The configuration file contains the encryption key that n8n uses to sign session cookies. With this information, an attacker can create a fake n8n-auth cookie and log in as an administrator."

"Security researchers at Cyera have discovered a critical vulnerability in n8n, the popular workflow automation platform. The flaw, with a CVSS score of 10.0, allows attackers to take complete control of local n8n instances. There is no workaround; users must upgrade to version 1.121.0 or higher. The security flaw (CVE-2026-21858) was published on January 7 by researcher Dor Attias. The platform has over 100 million Docker pulls worldwide and is used by millions of users and thousands of companies."