A new maximum-severity vulnerability has been discovered in the workflow automation platform n8n. Tracked as CVE-2026-21858 and known as Ni8mare, the flaw allows unauthenticated attackers to fully hijack vulnerable self-hosted n8n instances.
The impact of this vulnerability is significant. n8n is frequently used to store API keys, access tokens, and other secrets, while coordinating automation across internal and external systems. A compromised instance could therefore provide attackers with a foothold into wider infrastructure.
Cyber Security Technologist Chris McGee analysed the exposure of this issue using Shodan, identifying more than 71,000 publicly accessible n8n instances. While this figure represents only a subset of all deployments, it highlights a large and active attack surface that is easy for automated tools to discover.
The vulnerability affects self-hosted n8n instances that have not yet been patched. Managed or fully updated environments are at significantly lower risk, particularly where public access is restricted.
Users of n8n should ensure their instances are patched immediately and review logs for suspicious activity. Public accessibility should also be carefully reconsidered, as reducing exposure can greatly limit risk.
As part of his own defensive approach, Chris runs his n8n instance behind a Cloudflare Tunnel using their zero trust architecture with strict access controls and multi-factor authentication. This prevents automated discovery and adds an additional layer of security before the n8n login is reached.
Ni8mare serves as a reminder that automation platforms should be treated as high-value assets and protected accordingly.
Read more about this vulnerability: https://www.bleepingcomputer.com/news/security/max-severity-ni8mare-flaw-lets-hackers-hijack-n8n-servers/
/-3.5042587517567103,%2054.70635734010168,15.5/300X450@2X?access_token=pk.eyJ1Ijoid29tYmF0Y2hyaXMiLCJhIjoiY2pqaGEyd2lzMDQ3ZDN2bWQ4OTBsa2pmayJ9.ksVq6arM13qYhr76pco33w)