CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Multiple Critical n8n Workflow Automation Vulnerabilities (CVE-2025-68613, CVE-2025-68668, CVE-2026-21877, CVE-2026-21858)

First reported
Last updated
3 unique sources, 6 articles

Summary

Hide ▲

Multiple critical vulnerabilities have been disclosed in the n8n workflow automation platform. The most recent flaw, tracked as CVE-2026-21858 (CVSS 10.0), allows unauthenticated remote attackers to gain complete control over susceptible instances. This vulnerability affects all versions prior to and including 1.65.0 and has been patched in version 1.121.0. Additionally, three other critical vulnerabilities (CVE-2025-68613, CVE-2025-68668, and CVE-2026-21877) have been disclosed, affecting various versions of n8n. Over 103,000 instances are potentially vulnerable, with a significant number located in the U.S., Germany, France, Brazil, and Singapore. Users are advised to upgrade to the latest patched versions or implement mitigations such as disabling the Git node and limiting access for untrusted users. The Ni8mare vulnerability (CVE-2026-21858) affects over 100,000 servers potentially exposed. The vulnerability could enable attackers to access API credentials, OAuth tokens, database connections, and cloud storage. The vulnerability is related to the webhooks that start workflows in n8n. The platform parses incoming data based on the 'content-type' header in a webhook. When a request is 'multipart/form-data', the platform uses a special file upload parser (Formidable) which stores the files in temporary locations. For all other content types, a regular parser is used. The file upload parser wraps Formidable's parse() function, populating req.body.files with the output from Formidable. If a threat actor changes the content type to something like application/json, the n8n middleware would call the regular parser instead of the special file upload parser. This means req.body.files wouldn't be populated, allowing attackers to control the file metadata and file path. The vulnerability was reported on November 9 and fixed nine days later. Over 105,753 unpatched instances of n8n were found exposed online, with 59,558 still exposed on Sunday. More than 28,000 IPs were found in the United States and over 21,000 in Europe. n8n is widely used in AI development to automate data ingestion and build AI agents and RAG pipelines.

Timeline

  1. 07.01.2026 15:48 4 articles · 6d ago

    Critical Unauthenticated RCE Vulnerability (CVE-2026-21858) Disclosed

    The article provides detailed information on the Ni8mare vulnerability (CVE-2026-21858) in the n8n workflow automation platform. It highlights the severity of the flaw, which allows unauthenticated remote attackers to gain complete control over susceptible instances. The article also explains the technical details of the vulnerability, including how it relates to the webhooks that start workflows in n8n and the parsing of incoming data based on the 'content-type' header. It emphasizes the potential impact of the vulnerability, which could enable attackers to access sensitive information and compromise enterprise secrets. The article also notes that there are no official workarounds available for Ni8mare, with users urged to upgrade to version 1.121.0 or later to remediate. Over 105,753 unpatched instances of n8n were found exposed online, with 59,558 still exposed on Sunday. More than 28,000 IPs were found in the United States and over 21,000 in Europe.

    Show sources
    Open in new tab
  2. 07.01.2026 13:26 2 articles · 6d ago

    New CVSS 10.0 RCE Vulnerability (CVE-2026-21877) Disclosed

    A new maximum-severity vulnerability (CVSS 10.0, CVE-2026-21877) has been discovered in n8n, affecting versions >= 0.123.0 and < 1.121.3. This flaw has been patched in version 1.121.3, released in November 2025. Both self-hosted and n8n Cloud instances are impacted. Users are advised to upgrade to the latest version or implement mitigations such as disabling the Git node and limiting access for untrusted users.

    Show sources
    Open in new tab
  3. 23.12.2025 09:34 2 articles · 21d ago

    Critical n8n Vulnerability (CVE-2025-68613) Disclosed

    A critical vulnerability in n8n workflow automation platform, tracked as CVE-2025-68613, has been disclosed. The flaw, with a CVSS score of 9.9, affects versions 0.211.0 to 1.120.4 and has been patched in versions 1.120.4, 1.121.1, and 1.122.0. Over 103,000 instances are potentially vulnerable, with a significant number located in the U.S., Germany, France, Brazil, and Singapore. The vulnerability allows authenticated users to execute arbitrary code with the privileges of the n8n process, potentially leading to full compromise of the affected instance, unauthorized data access, and system-level operations. Users are advised to apply patches immediately or implement mitigations such as restricting workflow permissions and deploying n8n in a hardened environment.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Critical Authentication Bypass Vulnerability in IBM API Connect

IBM has disclosed a critical authentication bypass vulnerability (CVE-2025-13915) in its API Connect platform, affecting versions 10.0.11.0 and 10.0.8.0 through 10.0.8.5. This flaw, rated 9.8/10 in severity, allows remote attackers to bypass authentication and gain unauthorized access to applications. IBM urges customers to upgrade to the latest version and provides mitigation steps for those unable to patch immediately. The vulnerability is particularly concerning due to its low attack complexity and lack of requirement for user interaction. It impacts API Connect deployments in on-premises, cloud, and hybrid environments, used by organizations in sectors like banking, healthcare, and telecommunications. There is no evidence of the vulnerability being exploited in the wild.

Open in new tab

CISA Adds Actively Exploited Digiever NVR Vulnerability to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in Digiever DS-2105 Pro network video recorders (NVRs) to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation. The flaw, tracked as CVE-2023-52163, allows post-authentication remote code execution via command injection. The vulnerability remains unpatched as the device has reached end-of-life (EoL) status. Threat actors are exploiting this flaw to deliver botnets like Mirai and ShadowV2. CISA recommends mitigations or discontinuation of the product by January 12, 2025.

Open in new tab

Critical RCE flaw in HPE OneView software actively exploited

Hewlett Packard Enterprise (HPE) has patched a maximum-severity remote code execution (RCE) vulnerability (CVE-2025-37164) in its OneView software, which has a CVSS score of 10.0. The flaw affects all versions before v11.00 and can be exploited by unauthenticated attackers in low-complexity attacks. The vulnerability was reported by Vietnamese security researcher Nguyen Quoc Khanh (brocked200). HPE advises immediate patching as there are no workarounds or mitigations available. HPE has not confirmed whether the vulnerability has been exploited in attacks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has flagged the flaw as actively exploited in attacks and has given Federal Civilian Executive Branch (FCEB) agencies three weeks to secure their systems by January 28th. CISA encourages all organizations, including private sector, to patch their devices against this actively exploited flaw as soon as possible. HPE OneView is an IT infrastructure management software that streamlines IT operations and controls all systems via a centralized dashboard interface. The hotfix must be reapplied after upgrading from version 6.60 or later to version 7.00.00, or after any HPE Synergy Composer reimaging operations. Separate hotfixes are available for the OneView virtual appliance and Synergy Composer2.

Open in new tab

Active Exploitation of Gogs Zero-Day Vulnerability

A high-severity zero-day vulnerability (CVE-2025-8110, CVSS 8.7) in Gogs, a self-hosted Git service, is being actively exploited across over 700 internet-accessible instances. The flaw allows arbitrary code execution by bypassing a previously patched remote code execution vulnerability (CVE-2024-55947). The attacks involve deploying malware based on the Supershell C2 framework, linked to Chinese hacking groups. The vulnerability stems from a path traversal weakness in the PutContents API, enabling attackers to overwrite sensitive files and execute arbitrary commands. The attacks appear to be part of a 'smash-and-grab' campaign, with repositories left behind on compromised systems. As of now, there is no patch available for CVE-2025-8110, and users are advised to disable open registration, limit internet exposure, and scan for suspicious repositories. CISA has added CVE-2025-8110 to its Known Exploited Vulnerabilities (KEV) catalog, and Federal Civilian Executive Branch (FCEB) agencies are required to apply mitigations by February 2, 2026. A second wave of attacks was observed on November 1, 2025, and the malware communicates with a command-and-control server at 119.45.176[.]196.

Open in new tab

Critical Vulnerabilities in Fluent Bit Logging Agent

Critical vulnerabilities in Fluent Bit, a widely used telemetry agent, have been disclosed. These flaws affect log, metric, and trace handling across banking, cloud, and SaaS platforms. The issues include improper input validation, path traversal bugs, and authentication bypasses, allowing attackers to manipulate logs, overwrite files, and execute code. Patches are available in versions v4.1.1 and v4.0.12, but older versions remain at risk. The vulnerabilities could distort observability pipelines, impacting financial services, security products, and SaaS environments. Immediate patching and configuration hardening are recommended. AWS has urged customers to update to the latest version of Fluent Bit for optimal protection. The flaws could enable attackers to disrupt cloud services, manipulate data, and burrow deeper into cloud and Kubernetes infrastructure.

Open in new tab