Published: January 12, 2026
What are CVE-2026-21858, CVE-2025-68613 & CVE-2026-21877?
These three high-severity vulnerabilities affect n8n, a popular open-source workflow automation platform used to integrate services and automate operational tasks.
- CVE-2026-21858 (Ni8mare) is a critical unauthenticated remote code execution (RCE) vulnerability caused by improper handling of webhook request parsing. An attacker can exploit this flaw without credentials to gain full control of a vulnerable n8n instance.
- CVE-2025-68613 is a critical authenticated RCE vulnerability in n8n’s expression evaluation engine. An authenticated user with permission to create or modify workflows can inject malicious expressions that result in arbitrary code execution.
- CVE-2026-21877 is a critical authenticated RCE vulnerability that allows a legitimate user to execute arbitrary code by abusing unsafe workflow execution paths.
Together, these issues expose weaknesses in request handling, expression evaluation, and authenticated workflow execution within n8n.
What assets are affected by these CVEs?
All three vulnerabilities affect self-hosted and cloud-hosted n8n instances running vulnerable versions.
- CVE-2026-21858 affects n8n versions prior to 1.121.0, where externally exposed webhook endpoints can be abused without authentication.
- CVE-2025-68613 affects n8n instances up to the patched releases 1.120.4, 1.121.1, and 1.122.0, enabling authenticated users to execute arbitrary code.
- CVE-2026-21877 affects n8n versions 0.123.0 through 1.121.2, allowing authenticated remote code execution through unsafe workflow execution behavior.
Assets at higher risk include:
- Internet-facing n8n instances
- Environments exposing webhook endpoints
- Automation servers with access to internal systems or credentials
- Deployments where multiple users can create or edit workflows
Because n8n often orchestrates sensitive API keys and internal integrations, a compromised instance can lead to broader infrastructure exposure.
Are fixes available?
Yes. Fixes are available for all three vulnerabilities.
- CVE-2026-21858 – Upgrade to n8n 1.121.0 or later
- CVE-2025-68613 – Upgrade to n8n 1.120.4, 1.121.1, 1.122.0, or later
- CVE-2026-21877 – Upgrade to n8n 1.121.3 or later
Upgrading to patched versions is the only reliable way to fully address these issues. Configuration changes alone do not eliminate the underlying risks.
Are there any other recommended actions to take?
In addition to patching, organizations should:
- Identify and inventory all n8n instances, including test and legacy deployments
- Restrict external exposure of webhook endpoints where possible
- Limit workflow creation and editing permissions to trusted users
- Monitor workflow execution and webhook activity for anomalies
- Restrict access to administrative interfaces using network controls
- Apply defense-in-depth controls such as WAFs and API gateways
These actions help reduce risk while remediation efforts are underway.
Is CVE-2026-21858, CVE-2025-68613 or CVE-2026-21877 being actively exploited?
As of the latest advisories, there are no confirmed large-scale exploitation campaigns targeting these vulnerabilities. However, proof-of-concept techniques and technical analyses have been published, and attackers are actively scanning for exposed n8n instances.
Given the severity of these issues—particularly the unauthenticated RCE in CVE-2026-21858—organizations should treat exploitation as likely and act with urgency.
How is CyCognito helping customers identify assets vulnerable to these CVEs?
CyCognito published an Emerging Threat Advisory covering these n8n vulnerabilities inside the CyCognito platform on January 12th, 2026, and is actively researching enhanced detection capabilities for this vulnerability cluster. The platform already surfaces externally exposed assets tied to n8n workflows, webhook endpoints, and automation servers.
CyCognito advises customers to review systems running n8n or similar automation tooling to assess potential exposure, even if those systems are not explicitly identified as running vulnerable versions. Automation platforms are frequently deployed outside central inventories, making external discovery critical.
Check out CyCognito’s Emerging Threats page for more information on these and other relevant vulnerabilities.
How can CyCognito help your organization?
CyCognito gives security teams a clear view of every external asset, including systems they may not know exist. That visibility makes it easier to find n8n instances and understand which ones are vulnerable and exposed. Instead of working through large, noisy alert lists, teams can focus on systems that matter most based on business impact and real-world exploit paths.
CyCognito also helps verify that fixes are deployed and continues monitoring for changes, ensuring newly exposed systems don’t slip by unnoticed. This enables organizations to move faster, reduce risk with confidence, and stay ahead of attackers.
To learn how CyCognito can help you understand your external attack surface and exposed risks, please visit our Contact Us page to schedule a demo.
