Researchers rush to warn defenders of max-severity defect in n8n | CyberScoop<\/title> <meta name=\"description\" content=\"Roughly 100,000 servers running the automated workflow platform for AI and other enterprise tools are potentially exposed to exploitation.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/n8n-critical-vulnerability-massive-risk\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Researchers rush to warn defenders of max-severity defect in n8n\"> <meta property=\"og:description\" content=\"Roughly 100,000 servers running the automated workflow platform for AI and other enterprise tools are potentially exposed to exploitation.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/n8n-critical-vulnerability-massive-risk\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2026-01-07T23:07:58+00:00\"> <meta property=\"article:modified_time\" content=\"2026-01-07T23:08:00+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/researchers-rush-to-warn-defenders-of-max-severity-defect-in-n8n-2.jpg\"> <meta property=\"og:image:width\" content=\"2015\"> <meta property=\"og:image:height\" content=\"1488\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Matt Kapko\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@CyberScoopNews\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1765909325g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1767719924g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1767808656g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/87328\"><meta name=\"generator\" content=\"WordPress 6.8.3\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=87328\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fn8n-critical-vulnerability-massive-risk%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fn8n-critical-vulnerability-massive-risk%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-87328 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/n8n-critical-vulnerability-massive-risk\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.880487804878\">\n<div class=\"single-article__header-content\" readability=\"35.407594936709\">\n<p> Roughly 100,000 servers running the automated workflow platform for AI and other enterprise tools are potentially exposed to exploitation. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/87328\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"473\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/researchers-rush-to-warn-defenders-of-max-severity-defect-in-n8n.jpg?resize=640%2C473&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/researchers-rush-to-warn-defenders-of-max-severity-defect-in-n8n-2.jpg 2015w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/researchers-rush-to-warn-defenders-of-max-severity-defect-in-n8n-2.jpg?resize=300,222 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/researchers-rush-to-warn-defenders-of-max-severity-defect-in-n8n-2.jpg?resize=768,567 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/researchers-rush-to-warn-defenders-of-max-severity-defect-in-n8n-2.jpg?resize=1024,756 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/researchers-rush-to-warn-defenders-of-max-severity-defect-in-n8n-2.jpg?resize=1536,1134 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/researchers-rush-to-warn-defenders-of-max-severity-defect-in-n8n-2.jpg?resize=600,443 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/researchers-rush-to-warn-defenders-of-max-severity-defect-in-n8n-2.jpg?resize=228,168 228w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/researchers-rush-to-warn-defenders-of-max-severity-defect-in-n8n-2.jpg?resize=456,337 456w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/researchers-rush-to-warn-defenders-of-max-severity-defect-in-n8n-2.jpg?resize=914,675 914w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/researchers-rush-to-warn-defenders-of-max-severity-defect-in-n8n-2.jpg?resize=1142,843 1142w\" sizes=\"(max-width: 914px) 100vw, 914px\"><figcaption> (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"39.339067702553\"><body readability=\"79.886732421254\"><\/p>\n<p>Researchers warn that a critical vulnerability in n8n, an automation platform that allows organizations to integrate AI agents, workflows and hundreds of other enterprise services, could be exploited by attackers to achieve full control of targeted networks.<\/p>\n<p>The maximum-severity vulnerability \u2014 CVE-2026-21858 \u2014 affects about 100,000 servers globally, according to Cyera, which initially <a href=\"https:\/\/www.cyera.com\/research-labs\/ni8mare-unauthenticated-remote-code-execution-in-n8n-cve-2026-21858\">discovered and reported the defect<\/a> to n8n on Nov. 9. Developers responsible for the widely used platform <a href=\"https:\/\/github.com\/n8n-io\/n8n\/releases\/tag\/n8n%401.121.0\">released a patch<\/a> for the vulnerability on Nov. 18, but didn\u2019t <a href=\"https:\/\/github.com\/n8n-io\/n8n\/security\/advisories\/GHSA-v4pr-fm98-w9pg\">publicly disclose<\/a> or assign the vulnerability a CVE until Wednesday.<\/p>\n<p>\u201cThe risk is massive,\u201d Dor Attias, security researcher at Cyera Research Labs, told CyberScoop. \u201cn8n sits at the heart of enterprise automation infrastructure. Gaining control of n8n means gaining access to your secrets, customer data, CI\/CD pipelines and more.\u201d<\/p>\n<p>Researchers haven\u2019t observed active exploitation of the vulnerability, but Cyera published a working proof of concept, which typically triggers a race for defenders to patch a defect before in-the-wild exploitation occurs.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cWe are seeing a noticeable increase in traffic targeting customer n8n instances,\u201d Upwind CEO Amiram Shachar said. \u201cWe believe this activity is likely driven by heightened interest from both attackers and security researchers rather than confirmed exploitation \u2014 at least for now.\u201d<\/p>\n<p>The content-type confusion vulnerability requires no authentication, allows full remote-code execution and there is no workaround. Researchers and n8n, which did not respond to a request for comment, advise users to update to version 1.121.1 or later to remediate the vulnerability.<\/p>\n<p>Cyera, which dubbed the defect \u201cni8mare,\u201d said the patch effectively addresses the vulnerability. <\/p>\n<p>Threat hunters are especially concerned about the vulnerability because of the widespread deployment of n8n and the potential exposure that could occur as a result of exploitation. <\/p>\n<p>\u201cn8n instances typically manage highly sensitive workflows containing access tokens, credentials and business-critical data. That makes them a gold mine for attackers,\u201d Shachar said. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Systemic weaknesses, including a lack of proper exposure management, permission boundaries and broader application security control amplify the risk, Shachar added. <\/p>\n<p>It\u2019s unclear why n8n took almost two months to publicly disclose the vulnerability. The company acknowledged and started working on a fix for the defect a day after Cyera reported the vulnerability, Attias said. <\/p>\n<p>\u201cThe delay was likely due to them working on patching additional bugs, which is more important than rushing to publish the advisory,\u201d he added.<\/p>\n<p>Indeed, n8n disclosed a separate remote-code execution vulnerability \u2014 <a href=\"https:\/\/github.com\/n8n-io\/n8n\/security\/advisories\/GHSA-v364-rw7m-3263\">CVE-2026-21877<\/a> \u2014 with a CVSS rating of 10 on Wednesday.<\/p>\n<p>Shachar said disclosure procedures and the rapid growth of n8n could have slowed coordination with security advisory channels, adding that some security teams view delayed disclosures as a responsible measure to reduce the risk of immediate, widespread attacks.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.8641304347826\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/researchers-rush-to-warn-defenders-of-max-severity-defect-in-n8n-1.jpg?w=640&ssl=1\" alt=\"Matt Kapko\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Matt Kapko<\/h4>\n<p> Matt Kapko is a reporter at CyberScoop. His beat includes cybercrime, ransomware, software defects and vulnerability (mis)management. The lifelong Californian started his journalism career in 2001 with previous stops at Cybersecurity Dive, CIO, SDxCentral and RCR Wireless News. Matt has a degree in journalism and history from Humboldt State University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/n8n-critical-vulnerability-massive-risk\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Researchers rush to warn defenders of max-severity defect in n8n<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[235,78,5715,256,288,2281,703,2759],"tags":[236,86,5716,262,294,2283,705,2760],"class_list":["post-8238","post","type-post","status-publish","format-standard","hentry","category-ai","category-cybersecurity","category-n8n","category-research","category-threats","category-vulnerability","category-vulnerability-disclosure","category-vulnerability-reporting","tag-ai","tag-cybersecurity","tag-n8n","tag-research","tag-threats","tag-vulnerability","tag-vulnerability-disclosure","tag-vulnerability-reporting"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ai\/\" rel=\"category tag\">AI<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/n8n\/\" rel=\"category tag\">n8n<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/research\/\" rel=\"category tag\">Research<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/vulnerability\/\" rel=\"category tag\">vulnerability<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/vulnerability-disclosure\/\" rel=\"category tag\">vulnerability disclosure<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/vulnerability-reporting\/\" rel=\"category tag\">vulnerability reporting<\/a>","tag_info":"vulnerability reporting","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8238","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=8238"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8238\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=8238"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=8238"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=8238"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":8238,"date":"2026-01-07T17:07:58","date_gmt":"2026-01-07T23:07:58","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=87328"},"modified":"2026-01-07T17:07:58","modified_gmt":"2026-01-07T23:07:58","slug":"researchers-rush-to-warn-defenders-of-max-severity-defect-in-n8n","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2026\/01\/07\/researchers-rush-to-warn-defenders-of-max-severity-defect-in-n8n\/","title":{"rendered":"Researchers rush to warn defenders of max-severity defect in n8n"},"content":{"rendered":"