CVE-2026-21858 & CVE-2026-21877: Critical Vulnerabilities in n8n You Need to Know

What is n8n?

n8n (short for “node everything”) is an open-source workflow automation platform. It allows users to create complex workflows that connect different applications, APIs, and services without writing extensive code. Think of it as a more flexible, self-hosted alternative to Zapier, with powerful customization options and no vendor lock-in.

Key features include:

• Visual workflow builder, a drag-and-drop interface to design automation pipelines
• Self-hosted deployment, users can run n8n on their own servers or cloud instances
• Wide integration ecosystem, supports hundreds of apps, databases, and APIs out of the box
• Extensible via code nodes, advanced users can write JavaScript code for customized workflow actions

While its versatility makes n8n powerful, it also means that security vulnerabilities in the platform can have serious consequences, particularly for self-hosted deployments exposed to the internet.

Critical CVEs in n8n

In early 2026, n8n experienced two major security disclosures that highlighted risks to automation workflows worldwide:

1. CVE-2026-21858, “Ni8mare”

• Severity: Critical (CVSS 10.0)
• Type: Unauthenticated Remote Code Execution (RCE)
• Impact: Attackers could execute arbitrary commands on self-hosted n8n servers without authentication, potentially taking full control of the instance and accessing sensitive workflow data
• Affected versions: All versions prior to 1.121.0
• Mitigation: Upgrade to n8n ≥1.121.0 immediately, restrict public access to the instance, and implement firewall rules or VPN access for workflow management

2. CVE-2026-21877

• Severity: Critical
• Type: Authenticated Remote Code Execution (RCE)
• Impact: Authenticated users could exploit the workflow evaluation engine to run arbitrary commands on the server, meaning even a compromised account could escalate privileges to the underlying server
• Affected versions: Versions prior to 1.121.3
• Mitigation: Upgrade to n8n ≥1.121.3 and audit all user accounts with workflow execution privileges

These vulnerabilities have been collectively nicknamed “Ni8mare” by the security community, due to the ease with which attackers could take over exposed n8n instances.

Why n8n CVEs Matter

• Self-hosted risk: Many organizations use n8n on cloud servers accessible via the internet. Without proper isolation, a vulnerable instance can lead to full server compromise
• Workflow-level access: Attackers could manipulate or exfiltrate sensitive workflow logic, including API keys, database credentials, and internal business processes
• Integration chain effect: Since n8n connects multiple applications, a compromise can propagate across systems, increasing the potential impact

How to Protect Your n8n Instances

• Patch immediately: Upgrade to the latest versions (≥1.121.3) to address both CVE-2026-21858 and CVE-2026-21877
• Restrict access: Limit public exposure of your n8n instance, using firewalls, VPNs, or private network segments
• Audit users and workflows: Remove unnecessary accounts, enforce strong authentication, and review workflows for sensitive data exposure
• Monitor logs: Keep an eye on workflow execution logs and server activity to detect any suspicious behavior
• Backup safely: Regularly backup workflows and server configurations, storing them securely offline or in isolated environments

Conclusion

n8n’s critical CVEs, CVE-2026-21858 and CVE-2026-21877, underscore the importance of security in automation platforms. While n8n provides powerful workflow automation capabilities, these vulnerabilities show that self-hosted convenience must be balanced with robust security practices. Organizations using n8n should patch immediately, limit exposure, and monitor their instances to prevent potential attacks.

By staying informed and proactive, teams can continue leveraging n8n’s automation power without becoming victims of the Ni8mare vulnerabilities.