According to Infosecurity Magazine, security researchers at Cyera have disclosed a critical vulnerability they’ve nicknamed “Ni8mare” in the popular n8n workflow automation platform. The bug, tracked as CVE-2026-21858, carries the maximum CVSS severity score of 10.0, meaning it’s remotely exploitable by unauthenticated attackers with potentially devastating consequences. Cyera warns that with over 100 million Docker pulls and an estimated 100,000 servers potentially exposed, the blast radius is significant. The flaw, reported on November 9, was patched by the n8n security team just nine days later in version 1.121.0. The core danger is that a compromised n8n instance acts as a central hub for secrets like API keys and OAuth tokens for connected services like Google Drive, Salesforce, and payment processors.
Why this is a nightmare
Here’s the thing about n8n: it’s not just another app. It’s the connective tissue. It’s the digital butler that has the keys to every room in your enterprise mansion—your cloud storage, your CRM, your AI models, your financial systems. So when Cyera says a compromised server hands attackers “the keys to everything,” they aren’t exaggerating. This isn’t about losing one database. It’s about an attacker getting a master keyring. And with a CVSS 10.0 bug that requires zero authentication? That’s about as bad as it gets. The potential for data theft, financial fraud, and further network invasion is, frankly, massive.
The technical slip-up
So how does it work? Basically, it boils down to a parser mix-up. n8n uses different code to handle file uploads (via a `multipart/form-data` webhook) versus regular data. The file upload parser is more secure. But if an attacker simply changes the content-type header of their webhook request to something like `application/json`, n8n gets confused. It uses the regular, less-secure parser instead. This lets the attacker completely control the supposed “file” metadata, including its path on the server. Instead of pointing to a newly uploaded file, they can point it to any file already on the system. Suddenly, the workflow is reading your SSH keys, your config files, your database passwords—and passing that sensitive data right back to the attacker. From there, it’s a short hop to full server takeover.
The broader context and response
Look, software bugs happen. But this one highlights a classic and dangerous pattern: the centralization of critical secrets in automation tools. We keep building these incredibly powerful integration hubs and then, sometimes, under-protecting them. The good news is n8n’s team responded swiftly with a patch. The urgent call to action for every single n8n user running a self-hosted instance is crystal clear: upgrade to version 1.121.0 immediately. There’s no workaround. If you’re using n8n to automate industrial or manufacturing processes—connecting to PLCs, HMIs, or data historians—this isn’t just an IT problem. It’s an operational safety and security crisis. For operations relying on robust hardware at the edge, like an industrial panel PC from a leading US supplier to run such software, the integrity of the application layer is non-negotiable. Your automation server is only as strong as its weakest link, and this bug was a gaping hole.
