Ni8mare CVE-2026-21858: n8n RCE Threatens Saudi Bank AI Workflows

A maximum-severity vulnerability in n8n — the AI workflow automation platform increasingly embedded in Saudi bank SOC playbooks and DevSecOps toolchains — allows any unauthenticated attacker on the network path to fully compromise the host. CVE-2026-21858, published by Cyera Research Labs under the name "Ni8mare," carries the rare CVSS 10.0 ceiling and is already drawing mass-scanning activity. For SAMA-regulated institutions, this is not a hobbyist tool problem; it is a tier-1 incident-response trigger.

Inside CVE-2026-21858: Why Ni8mare Hits a CVSS 10.0

The flaw lives in how n8n parses inbound webhook requests. Several webhook handlers reach into req.body.files without first validating the HTTP Content-Type, opening the door to a content-type confusion attack. By forging the header, an unauthenticated attacker can override internal variables, control file paths and metadata, and chain three trust-boundary failures: arbitrary local file read, administrator session forgery, and finally remote code execution on the underlying host. No credentials, no clicks, no prior foothold required. The bug affects all self-hosted versions from 1.65.0 up to — but not including — 1.121.0, the release published on 18 November 2025 that contains the fix.

Exposure Scale and Active Exploitation

Censys observed roughly 26,512 internet-exposed n8n instances at disclosure time, with broader vendor estimates of 100,000+ deployments globally once private subnets are counted. A working proof-of-concept is already public on GitHub, and Arctic Wolf, Orca Security, and Rapid7 have all flagged opportunistic scanning targeting /webhook and /form endpoints. Because n8n credential stores typically hold long-lived API keys for Slack, Jira, Microsoft 365, GitHub, AWS, and core banking sandbox environments, a single Ni8mare hit can cascade across an entire automation fabric within minutes.

Impact on Saudi Financial Institutions

Over the past 24 months, Fyntralink has seen n8n adoption climb sharply inside Saudi banks and fintechs — driven by the push to automate SAMA Cyber Security Control Criteria evidence collection, NCA ECC reporting, and SOC tier-1 triage. Many of these instances are self-hosted on internal Kubernetes clusters or DMZ jump hosts, holding service-account tokens for SIEM, EDR, ticketing, and core banking systems. Under SAMA CSCC, an unauthenticated RCE in such a node is a textbook "high-impact technology vulnerability" requiring immediate containment under control 3.3.14, with breach notification obligations under PDPL Article 20 if customer data is reachable. For NCA ECC-regulated entities, control 2-10-3 (vulnerability management) and 2-3-2 (secure system configuration) are both directly engaged.

Practical Recommendations for SAMA-Regulated Banks

1. Patch immediately to n8n 1.121.0 or later. No supported configuration workaround exists. Treat the upgrade as an emergency change under your SAMA CSCC change-management process and document the deviation.
2. Inventory every n8n footprint. Query CMDB, container registries, and Kubernetes namespaces for the n8nio/n8n image. Shadow deployments inside DevOps and data-science teams are the most common blind spot.
3. Restrict or disable public webhook and form endpoints until upgrade is verified. Front them with an authenticating reverse proxy (NGINX with mTLS, or your existing WAF) and drop unsolicited multipart/form-data requests where business logic does not require them.
4. Rotate every credential stored in n8n. Assume any pre-patch instance is compromised: rotate API tokens, OAuth refresh tokens, database passwords, and signing keys held in n8n's encrypted credential store.
5. Hunt for indicators of compromise. Search reverse-proxy and n8n logs for anomalous POST /webhook requests with mismatched content types, sudden creation of admin users, or workflow executions invoking execute_command nodes outside business hours.
6. Update threat models and TPRM questionnaires. Add Ni8mare to your third-party risk reviews — many SaaS integrators and managed security providers run n8n internally to deliver services to Saudi banks.
7. Re-baseline detection. Add Sigma rules covering n8n process anomalies (Node.js spawning shells, unexpected outbound connections from the n8n container) into your SIEM and EDR content libraries.

Conclusion

Ni8mare is a reminder that automation platforms — even those marketed as developer-friendly low-code tools — sit at the heart of modern banking trust boundaries. A CVSS 10.0 unauthenticated RCE in such a hub is not a routine patch; it is an immediate SAMA CSCC compliance event that demands documented containment, rotation, and detection-engineering follow-through. The institutions that move fastest on inventory and credential rotation will limit blast radius. The ones that wait will spend the next quarter writing root-cause reports.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment focused on automation, identity, and third-party risk exposure.