Unauthenticated RCE means anyone on the network can seize full control

A maximum-severity bug in the popular automation platform n8n has left an estimated 100,000 servers wide open to complete takeover, courtesy of a flaw so bad it doesn't even require logging in.

The vulnerability, uncovered by researchers at security outfit Cyera, carries a CVSS score of 10.0 and has been dubbed "ni8mare" for good reason. Tracked as CVE-2026-21858, the flaw allows an unauthenticated attacker to execute arbitrary code on vulnerable systems, effectively handing over complete control of the affected environment. There is no workaround other than patching, and users are urged to upgrade to n8n version 1.121.0 or later.

n8n is a self-hosted, open source automation tool that many organizations use to stitch together chat apps, forms, cloud storage, databases, and third-party APIs. It claims more than 100 million Docker pulls, with millions of users and thousands of companies using it to automate everything from ...