Ni8mare Decoded: How CVE-2026-21858 Turns Public n8n Instances Into Cloud Master Keys

A single unauthenticated HTTP request. No credentials, no zero-day chain, no exotic primitive — just a malformed Content-Type header. That is all it takes to seize full control of an n8n workflow automation server affected by CVE-2026-21858, the vulnerability researchers at Cyera have dubbed Ni8mare. With a CVSS score of 10.0, Shodan exposure exceeding 71,000 publicly accessible n8n instances (Chris McGee, January 2026 analysis), and a working proof-of-concept already in the wild, this is the most consequential cloud-native vulnerability disclosed so far in 2026 — and the most under-patched.

If your organisation runs n8n self-hosted on AWS, Azure, GCP, a Kubernetes cluster, or a Docker host buried in a developer’s VPC, this brief is for you.

Key Finding

Every n8n version from 1.65.0 through 1.120.4 contains a Content-Type confusion flaw in the formWebhook handler. An unauthenticated attacker can:

1. Read arbitrary files from the underlying host, including /home/node/.n8n/config (which contains the JWT signing secret) and /home/node/.n8n/database.sqlite (which contains every user’s hashed password and session metadata).
2. Forge an n8n-auth cookie for the platform’s owner account using the stolen secret.
3. Authenticate as the owner, create a new workflow containing an Execute Command node, and execute arbitrary OS commands as the node user — typically with access to every credential vaulted inside n8n.

There is no Metasploit module needed. The entire chain fits in two cURL requests.

Technical Analysis: How Ni8mare Works

Stage 1 — Content-Type Confusion in formWebhook

n8n’s formWebhook node is designed to accept browser form submissions. The handler routes any incoming POST to the multipart parser only if the request advertises a multipart boundary. The bug is the inverse case: if an attacker sends a JSON-style body but does not declare Content-Type: multipart/form-data, the request still passes through the file-handling code path. The internal request state is overridden, and req.body.files — which should have been populated by Busboy from a real upload — is instead taken directly from attacker-controlled JSON.

This means an attacker can synthesise a “file” with any filepath they choose, then trigger n8n’s internal copyFile routine. The platform happily reads from arbitrary paths on disk and returns the contents.

Stage 2 — Harvesting the Crown Jewels

Two files are sufficient for full takeover:

• /home/node/.n8n/config — contains the encryptionKey and the userManagement.jwtSecret used to sign all session cookies.
• /home/node/.n8n/database.sqlite — contains the user table with id, email, role, and globalRoleId. The first row is almost always the platform owner.

With the JWT secret and the owner’s user ID, an attacker can mint a perfectly valid n8n-auth cookie locally — no brute force, no replay, no race condition.

Stage 3 — From Owner to OS Shell

Once authenticated as the owner, the attacker creates a workflow containing an Execute Command node, triggers it, and harvests output. From that point the box is fully compromised: the attacker can read every credential stored inside n8n’s encrypted vault using the encryptionKey lifted in Stage 2.

Horizon3.ai’s red team has demonstrated the full chain reproducibly in lab conditions, and Censys has published an advisory confirming active scanning.

Impact Assessment

Why this is worse than a “typical” RCE

n8n is rarely deployed in isolation. It is the connective tissue between an organisation’s SaaS estate: Slack tokens, Salesforce API keys, AWS IAM credentials, OpenAI keys, database passwords, GitHub PATs, OAuth refresh tokens. As Cyera put it bluntly: “If a vulnerable instance is public facing, it isn’t just a vulnerability — it’s a master key to the entire SaaS and data ecosystem.”

A compromised n8n host typically yields:

• AWS access keys with s3:* or worse, used by data-ingestion workflows
• Database connection strings to production Postgres or MongoDB
• Long-lived Slack bot tokens with chat:write on every internal channel
• GitHub fine-grained PATs with contents:write scope
• OpenAI / Anthropic API keys with no rate-limit caps

Exposure At Scale

Shodan and Censys exposure scans during the disclosure window painted a grim picture:

• 71,000+ total n8n instances reachable from the public internet
• 25,000+ confirmed vulnerable to Ni8mare at disclosure time
• 9,700+ of those in the United States alone
• Disproportionate concentration in EU and North American mid-market SaaS startups, where n8n is favoured as a low-cost Zapier replacement

Risk Rating

• Confidentiality: Critical — full credential exfiltration
• Integrity: Critical — attacker can modify workflows, alter data pipelines, push poisoned data into downstream systems
• Availability: High — destructive workflows can DoS the host or wipe state
• Business risk: Critical for any organisation where n8n orchestrates customer data, finance flows, or AI agent pipelines

CloudShieldSecure Perspective

Ni8mare is not really an n8n bug. It is a ShadowAI exposure pattern — automation platforms quietly deployed by developers, marketing teams, or AI engineering pods, then left unsegmented and unmonitored because security teams never knew they existed. CloudShieldSecure was built specifically for this blind spot.

Our platform continuously discovers cloud-hosted automation surfaces — n8n, Make, Zapier self-hosted relays, LangFlow, Marimo, Dify — across every VPC, subscription, and Kubernetes cluster the customer owns. For Ni8mare specifically, CloudShieldSecure customers received:

• A discovery rule flagging every reachable n8n endpoint with the affected version banner within hours of the public PoC
• Behavioural detection of the Stage 1 anomalous Content-Type request pattern against ingress logs
• A compensating control recommendation to block the formWebhook route at the WAF until the patch is in place
• Credential blast-radius mapping so security teams could see, in one view, which AWS keys, Slack tokens, and database secrets stored inside n8n would have to be rotated if compromise was suspected

The lesson generalises. Any workflow-orchestration tool with broad scope credentials and a public ingress is a high-yield target. Treat them like crown-jewel systems, because that is exactly what they are.

Recommended Actions (Next 24 Hours)

1. Inventory. Find every n8n instance — production, staging, demo, that PoC the data team spun up in March. Check Kubernetes namespaces, Docker hosts, and developer VPCs. External attack surface scans should be paired with internal asset queries.
2. Patch. Upgrade immediately to n8n 1.121.0 or later. There is no partial mitigation that fully closes the chain — the patch fixes the Content-Type validation at source.
3. Rotate. Assume any credential ever stored in a vulnerable n8n instance is burned. Rotate AWS keys, Slack tokens, GitHub PATs, OAuth refresh tokens, database passwords, and AI provider API keys.
4. Re-issue the JWT secret. Even after patching, regenerate userManagement.jwtSecret and force re-authentication of every n8n user. Pre-patch leakage of the signing key is the silent compromise vector.
5. Lock down ingress. No n8n instance should be reachable directly from the public internet without a WAF, IP allow-list, or SSO-fronting reverse proxy. Use a WAF rule that drops POSTs to /form-test/* and /webhook/* lacking a valid multipart/form-data boundary until the patch is verified.
6. Hunt. Review n8n access logs and host process trees for the disclosure window onward. Indicators include unusual POSTs to webhook paths with non-multipart bodies, creation of Execute Command workflows by accounts that do not normally author workflows, and outbound network connections from the n8n host to unfamiliar IPs.
7. Segment. Move n8n into a network zone with explicit egress controls. n8n hosts should not be able to reach 169.254.169.254 (cloud metadata) or arbitrary internet endpoints unless a specific workflow requires it.

Sources & References

• Cyera Research Labs — What Ni8mare Teaches Security Leaders About ShadowAI
• Horizon3.ai — The Ni8mare Test: n8n RCE Under the Microscope
• Censys Advisory — n8n Unauthenticated RCE (NI8MARE)
• Orca Security — CVE-2026-21858 n8n RCE Vulnerability
• The Hacker News — Critical n8n Vulnerability (CVSS 10.0)
• n8n Official Security Advisory 20260108
• Australian Cyber Security Centre Advisory

CloudShieldSecure, by CloudKonsult Limited, provides continuous cloud security posture, attack-surface, and identity-blast-radius monitoring for cloud-native enterprises. Learn more at cloudshieldsecure.cloudkonsult.cloud.