Thousands of n8n instances under threat from top security issue

2 hours ago 4

Password recovery concept image showing man typing on a keyboard with an overlay imitating password recovery and data recovery principles

(Image credit: Shutterstock)

Nearly 60,000 n8n instances remain exposed to Ni8mare CVE-2026-21858 flaw
Vulnerability allows unauthenticated remote server takeover; fixed in version 1.121.0
Shadowserver found most cases in US, Europe, Asia; upgrade is only defense

Experts have warned almost 60,000 n8n internet-connected instances are still vulnerable to Ni8mare, a maximum-severity flaw that was discovered and patched.

n8n is an open source workflow automation platform which lets users connect apps, APIs, and services to automate tasks without heavy coding. It allows users to to build visual workflows that move data between tools, trigger actions, and run custom logic.

The Shadowserver Foundation, a nonprofit cybersecurity organization whichgathers intelligence and tracks malicious activity across the web, noted how the platform was vulnerable to CVE-2026-21858, a security flaw stemming from an improper input validation weakness. It allows unauthenticated attackers to remotely take control over the underlying server, and through it target locally deployed n8n instances. The bug was given the maximum severity score - 10/10 and said it plagued versions 1.65.0 and below 1.121.0. It was fixed in version 1.121.0 and was nicknamed Ni8mare.

Patches and workarounds

Shadowserver data claims on January 11 2026, there were exactly 59,559 internet-connected n8n instances vulnerable to Ni8mare, including 28,087 instances in the US, 21,268 in Europe, and 7,553 in Asia.

The bug was discovered in early November 2025 by cybersecurity researchers Cyera. Right now, there are no available workarounds, and the only viable way to defend against potential abuse is to upgrade to the latest version. Granted, admins that can’t upgrade at this time could block attacks by restricting or entirely disabling publicly accessible webhook and form endpoints.

To that end, the n8n team also provided a workflow template for admins who want to scan their instances..

N8n is a vastly popular platform, especially with the explosion in AI development. It is generally used to automate data ingestion and build AI agents, and reportedly has more than 100 million pulls on Docker Hub and over 50,000 weekly downloads on npm.

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Via BleepingComputer

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read Entire Article