A critical flaw in n8n lets attackers take over self-hosted systems remotely; update to version 1.121.0 or later.

A critical vulnerability, CVE-2026-21858, dubbed "Ni8mare," in the n8n automation platform allows unauthenticated remote code execution with a CVSS score of 10.0. Discovered by Cyera, it stems from a Content-Type confusion flaw enabling attackers to manipulate HTTP headers and gain full system access on self-hosted instances. The flaw affects widely used self-hosted deployments, with over 100 million Docker pulls and thousands of organizations relying on n8n for integrations. No workaround exists, and users must upgrade to version 1.121.0 or later. The n8n team patched the issue within nine days of being notified on November 9, 2025.