Critical Vulnerability in n8n (CVE-2026-21858) affects Hosts in Bangladesh
Published on 11-Jan-2026 16:00:00
Executive Summary
A critical unauthenticated remote code execution (RCE) vulnerability, tracked as CVE-2026-21858 and dubbed "Ni8mare," has been identified in n8n, an open-source workflow automation platform. This flaw allows remote attackers without authentication to exploit webhook request handling and file processing logic, potentially leading to full compromise of affected instances. In Bangladesh, 35 unique IP addresses have been observed hosting exploitable n8n instances or exhibiting active exploitation behavior, indicating real-world targeting and compromise of vulnerable deployments.
Immediate action is recommended for all n8n users in Bangladesh to mitigate potential data breaches, credential theft, lateral movement within networks, and unauthorized server takeovers.
Vulnerability Details (CVE-2025-14847)
- Identifier: CVE-2026-21858
- Platform: n8n (open-source workflow automation)
- Severity: Critical (CVSS 10.0)
- Affected Versions: All n8n versions below 1.121.0
- Attack Vector: Network (no authentication required)
- Impact:
- Unauthenticated RCE
- Arbitrary file access
- Credential and secret exfiltration
- Full host compromise with lateral movement potential
Affected Versions
• n8n self-hosted instances running versions 1.65.0 to below 1.120.0, This issue is fixed in version 1.121.0 and later.
• Deployments accessible via the internet, especially those using webhooks for integrations (e.g., with Slack, email services, or custom APIs).
Common Attack Scenarios
- Automated Scanning: Attackers scan for exposed n8n webhook endpoints.
- Content-Type Confusion Probing: Crafted requests with manipulated content types trigger improper parsing.
- Unauthorized File Access: Attackers extract sensitive files (configs, auth secrets).
- Session Forgery: Using extracted secrets to forge admin sessions.
- RCE & Workflow Abuse: Creation/modification of workflows that execute system commands.
- Infrastructure Compromise: Use the compromised instance to access internal resources or other systems. They are highly attractive to: Cybercriminal groups, Data brokers, Ransomware operators, Opportunistic attackers using mass internet scans.
Advisory Classification
| Field | Value |
| Threat Class | Remote Code Execution via Logic Flaw |
| Threat Vector | Internet / Webhooks |
| Exploit Complexity | Low |
| Authentication Required | None |
| Impact | Complete compromise, Data breach |
| Severity | Critical (CVSS 10.0) |
What Was Observed in Bangladesh
Security scanning and telemetry indicate:
- 35 unique IP addresses in Bangladesh with publicly reachable n8n services that appear unpatched and vulnerable to CVE-2026-21858.
- Some instances are exhibiting active exploit attempts, including webhook-based probing and anomalous form submissions.
Instances reachable without authentication or protected only by weak controls are prime targets for automated exploitation and intrusion.