Critical Vulnerability Exposes n8n Instances to Takeover Attacks

A critical-severity vulnerability in the n8n workflow automation platform allows attackers to take over vulnerable instances, data security firm Cyera warns.

n8n has over 100 million Docker pulls, provides numerous integrations and a drag-and-drop interface, and is used by thousands of enterprises.

Tracked as CVE-2026-21858 (CVSS score 10/10), the newly disclosed n8n vulnerability affects the platform’s webhook and file-handling logic and could lead to unauthenticated access to arbitrary files.

“A vulnerability in n8n allows an attacker to access files on the underlying server through execution of certain form-based workflows. A vulnerable workflow could grant access to an unauthenticated remote attacker,” n8n’s advisory reads.

According to Cyera Research Labs researcher Dor Attias, who was credited for finding the bug and named it Ni8mare, the issue is a Content-Type confusion, leading to n8n calling the wrong parser when an attacker changes the content type.

Because the function that copies ...