- Nearly 60,000 n8n instances remain exposed to Ni8mare CVE-2026-21858
- The vulnerability allows takeover of an unauthenticated remote server; fixed in version 1.121.0
- Shadowserver found most cases in the United States, Europe, and Asia; upgrading is just a defense
Experts have warned that nearly 60,000 n8n instances connected to the Internet are still vulnerable to Ni8mare, a maximum severity flaw that has been discovered and fixed.
n8n is an open source workflow automation platform that allows users to connect apps, APIs, and services to automate tasks without heavy coding. It allows users to create visual workflows that move data between tools, trigger actions, and execute custom logic.
The Shadowserver Foundation, a nonprofit cybersecurity organization that gathers intelligence and tracks malicious activity across the web, noted how the platform was vulnerable to CVE-2026-21858, a security flaw resulting from an improper input validation weakness. It allows unauthenticated attackers to remotely take control of the underlying server and, through it, target locally deployed n8n instances. The bug was given the maximum severity score – 10/10 and said to affect versions 1.65.0 and below 1.121.0. It was fixed in version 1.121.0 and was dubbed Ni8mare.
Fixes and workarounds
According to Shadowserver data, on January 11, 2026, there were exactly 59,559 internet-connected n8n instances vulnerable to Ni8mare, including 28,087 in the United States, 21,268 in Europe, and 7,553 in Asia.
The bug was discovered in early November 2025 by cybersecurity researchers Cyera. At this time, no workaround is available and the only viable way to defend against possible abuse is to upgrade to the latest version. Certainly, administrators who cannot upgrade at the moment could block attacks by restricting or entirely disabling publicly accessible webhooks and form endpoints.
To this end, the n8n team has also provided a workflow template for administrators who want to analyze their instances.
N8n is an extremely popular platform, especially with the explosion of AI development. It is typically used to automate data ingestion and build AI agents, and reportedly has over 100 million pulls on Docker Hub and over 50,000 weekly downloads on npm.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
