Critical Ni8mare RCE and Expression Injection Vulnerability

Critical Ni8mare RCE and Expression Injection Vulnerability

No Comments

n8n, the popular open-source workflow automation tool, faces multiple critical vulnerabilities disclosed in late 2025 and early 2026. These flaws enable unauthenticated remote code execution (RCE), posing severe risks to self-hosted deployments.

Vulnerability Overview

Two standout issues dominate recent disclosures. CVE-2026-21858 (CVSS 10.0), named “Ni8mare” by Cyera Research Labs, stems from content-type confusion in Form webhook file handling, allowing attackers to read arbitrary files, forge admin sessions, and execute code without authentication. CVE-2025-68613 (CVSS 9.9), reported by Orca Security and ReSecurity, permits authenticated users to inject malicious expressions in workflows, bypassing sandboxing for server-side RCE.

Technical Breakdown

CVE-2026-21858 Exploitation Chain:

  • Intercept Form upload requests and alter Content-Type from multipart/form-data to application/json.
  • Override internal file paths to access sensitive data like /etc/passwd or SQLite databases.
  • Forge sessions and chain to OS command execution via workflow triggers.

CVE-2025-68613 Attack Path:

  • Authenticate with low-privileged access to create/edit workflows.
  • Inject payloads in expression nodes, exploiting weak sandbox isolation.
  • Escalate to full Node.js runtime compromise, exfiltrating credentials and disrupting automations.

Impacts span the CIA triad: credential theft, workflow corruption, and lateral movement in connected enterprise systems.

Over 100,000 internet-exposed instances remain at risk as of January 2026.

Indicators of Compromise (IOCs)

  • Anomalous Form/Webhook traffic with tampered Content-Type headers.
  • Unexpected file reads or forged /rest/sessions endpoints.
  • New workflows with expression payloads like require('child_process').exec.

Mitigation and Remediation

Upgrade immediately to the latest n8n version via npm update n8n or Docker pulls. Disable or isolate public Form/Webhook nodes, enforce strict authentication, and audit active workflows for file elements.Monitor CISA KEV for prioritization and scan environments with tools like Qualys for exposed instances.

Disclosure Timeline Highlights

  • Nov 9, 2025: Ni8mare reported to n8n.[1]
  • Nov 18, 2025: Initial patches released.
  • Jan 6-8, 2026: Public advisories from Cyera, Orca, n8n.

Self-hosted automation platforms like n8n demand rigorous patching amid rising automation-targeted attacks.

Tags:

Comments

No comments yet. Why don’t you start the discussion?

    Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.