- Nearly 60,000 n8n instances remain exposed to Ni8mare CVE-2026-21858 flaw
- The vulnerability allows the takeover of an unauthenticated remote server; fixed in version 1.121.0
- Shadowserver found most cases in the US, Europe and Asia; improvement is only defense
Experts have warned that nearly 60,000 n8n instances connected to the Internet remain vulnerable to Ni8mare, a major flaw that was discovered and patched.
n8n is an open source workflow automation platform that allows users to connect applications, APIs, and services to automate tasks without heavy coding. It allows users to create visual workflows that move data between tools, trigger actions, and execute custom logic.
The Shadowserver Foundation, a nonprofit cybersecurity organization that gathers intelligence and tracks malicious activity on the web, noted how the platform was vulnerable to CVE-2026-21858, a security flaw stemming from an incorrect input validation weakness. It allows unauthenticated attackers to take remote control of the underlying server and, through it, attack locally deployed n8n instances. The bug received the maximum severity score: 10/10 and said it affected versions 1.65.0 and below 1.121.0. It was fixed in version 1.121.0 and nicknamed Ni8mare.
Patches and solutions
Shadowserver data claims that as of January 11, 2026, there were exactly 59,559 internet-connected n8n instances vulnerable to Ni8mare, including 28,087 instances in the US, 21,268 in Europe, and 7,553 in Asia.
The bug was discovered in early November 2025 by cybersecurity researchers Cyera. At this time, there are no workarounds available and the only viable way to defend against potential abuse is to update to the latest version. Of course, administrators who cannot update at this time could block attacks by restricting or completely disabling publicly accessible webhooks and forms.
To that end, the n8n team also provided a workflow template for administrators who want to scan their instances.
N8n is a very popular platform, especially with the explosion of AI development. It is typically used to automate data ingestion and create AI agents and reportedly has over 100 million downloads on Docker Hub and over 50,000 weekly downloads on npm.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
