CVE-2026-21858: Critical n8n RCE Flaw Gives Attackers Full Control of Your Automation Pipelines

A single unauthenticated HTTP request is all it takes to seize complete control of an n8n workflow automation instance — and every system it connects to. CVE-2026-21858, dubbed "Ni8mare" by researchers, carries a perfect CVSS 10.0 score and turns the very tool organizations rely on to streamline operations into an open gateway for lateral movement, credential theft, and full infrastructure compromise.

How the Ni8mare n8n RCE Exploit Works

The vulnerability resides in n8n's Form Webhook node, which handles file uploads from external HTTP requests. Unlike other webhook handlers in the platform, the Form Webhook path does not enforce strict multipart content validation. It blindly trusts the internal file objects it constructs from incoming data and copies attacker-controlled file paths directly into persistent server-side storage. By crafting a malicious HTTP request with a manipulated Content-Type header and specially structured body, an attacker triggers a Content-Type confusion condition. This allows them to override internal application state, read arbitrary files from the server — including authentication secrets and session tokens — forge administrative sessions, and ultimately execute arbitrary operating system commands on the underlying host. No credentials, no prior access, no user interaction required.

The Blast Radius: Why Automation Platforms Are High-Value Targets

What makes CVE-2026-21858 particularly devastating is not the vulnerability mechanics alone but the operational context in which n8n operates. A typical enterprise n8n instance holds stored API keys and OAuth tokens for dozens of integrated services — CRM platforms, cloud providers, internal databases, email gateways, and ticketing systems. It maintains persistent connections to production infrastructure, often with elevated privileges necessary to execute automated workflows. Compromising a single n8n node hands an attacker a pre-built pivot map of the entire internal environment. Horizon3.ai researchers confirmed in their proof-of-concept that exploitation takes seconds and that post-exploitation options are virtually unlimited given the credentials typically stored within workflow configurations.

Affected Versions and the Patch Timeline

All n8n versions from 1.65.0 through 1.120.x are vulnerable. The n8n team released version 1.121.0 to address the root cause, and no effective workaround exists short of upgrading. The Australian Cyber Security Centre (ACSC), Orca Security, and runZero have all issued independent advisories urging immediate patching. Public exploit code is available, and active scanning for exposed n8n instances has been observed in the wild since mid-May 2026. Organizations running self-hosted n8n deployments that have not yet upgraded should assume they are being targeted.

Impact on Saudi Financial Institutions and Regulated Entities

Workflow automation adoption has accelerated across Saudi Arabia's banking and fintech sectors as institutions pursue the operational efficiency goals outlined in Vision 2030. Many SAMA-regulated entities have deployed n8n or similar open-source automation platforms to orchestrate compliance reporting, transaction monitoring alerts, customer onboarding workflows, and internal IT operations. A compromised automation instance in this context does not just expose one application — it bridges the gap between isolated network segments, potentially granting attackers access to core banking systems, anti-money laundering databases, and customer PII repositories protected under PDPL. SAMA's Cyber Security Common Controls (CSCC) mandate strict access management and continuous vulnerability remediation under Domain 3 (Technology) and Domain 4 (Third-Party). NCA's Essential Cybersecurity Controls (ECC) similarly require organizations to maintain an aggressive patch management cadence and restrict internet-facing attack surfaces. An unpatched n8n instance with CVSS 10.0 exposure directly violates both frameworks.

Recommendations and Immediate Actions

1. Upgrade immediately: Update all n8n deployments to version 1.121.0 or later. There is no workaround — patching is the only remediation path.
2. Audit webhook exposure: Identify every n8n instance in your environment, including shadow IT deployments spun up by development teams. Verify that Form Webhook endpoints are not exposed to the internet without authentication gateways.
3. Rotate all stored credentials: If your n8n instance was running a vulnerable version with any internet exposure, assume credential compromise. Rotate every API key, OAuth token, database password, and service account credential stored in n8n workflow configurations.
4. Review automation platform architecture: Place automation orchestration tools behind a reverse proxy with mutual TLS and IP allowlisting. Never expose workflow engines directly to the public internet.
5. Implement network segmentation: Ensure automation platforms cannot reach critical assets — core banking, payment processing, and customer databases — without traversing monitored security boundaries with least-privilege access controls.
6. Activate forensic log review: Search web server and n8n application logs for anomalous POST requests to /webhook/ and /form/ endpoints, particularly those with unusual Content-Type headers or oversized payloads, dating back to when version 1.65.0 was first deployed.
7. Update your SAMA CSCC and NCA ECC compliance registers: Document the vulnerability, your remediation timeline, and any compensating controls applied during the patching window to satisfy audit requirements.

Conclusion

CVE-2026-21858 is a textbook example of why automation platforms deserve the same security scrutiny as core infrastructure. A CVSS 10.0 vulnerability in a tool that holds the keys to every integrated system is not just a software bug — it is an enterprise-wide crisis waiting to happen. Saudi financial institutions running n8n must treat this as an emergency patch event, not a routine update cycle item.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment and ensure your automation infrastructure meets SAMA CSCC and NCA ECC requirements before attackers find the gaps first.