100,000+ n8n Instances Exposed to Internet Vulnerable to RCE Attacks
Over 100,000 internet-exposed instances of the popular n8n workflow automation platform are currently at severe risk, following the discovery of a critical vulnerability. Security researchers from...
Over 100,000 internet-exposed instances of the popular n8n workflow automation platform are currently at severe risk, following the discovery of a critical vulnerability.
Security researchers from The Shadowserver Foundation discovered that 105,753 unique n8n instances are vulnerable to remote code execution (RCE) attacks through CVE-2026-21858.
n8n is a workflow automation platform that connects various applications, services, and databases. Organizations use it to automate business processes, integrate APIs, and manage data flows across their systems.
The platform has gained significant adoption among enterprises and startups for its flexibility and ease of use.
| CVE ID | CVSS Score | Affected Product | Vulnerability Type | Impact |
|---|---|---|---|---|
| CVE-2026-21858 | 10.0 | n8n Workflow Automation | Remote Code Execution (RCE) | Full instance takeover, data exposure |
The Vulnerability Explained
CVE-2026-21858 has a CVSS score of 10.0, making it a critical threat. The flaw stems from a content-type confusion issue in n8n’s webhook handling.
Attackers can send specially crafted HTTP requests with manipulated headers to exploit this weakness.
The vulnerability allows unauthenticated attackers to execute arbitrary code on affected servers, read sensitive system files, extract stored credentials and secrets, forge administrator sessions, and ultimately achieve full instance takeover.
No authentication is required, meaning anyone can exploit this vulnerability without any user interaction. The Shadowserver Foundation’s scan conducted on January 9, 2026, identified alarming numbers.
Out of 230,562 IP addresses running n8n, approximately 105,753 instances were found to be vulnerable. This represents nearly 46 percent of exposed n8n deployments.
The vulnerability primarily affects n8n versions 1.65.0 through 1.120.x. Systems that have not been patched remain at immediate risk.
Organizations running n8n must immediately upgrade to version 1.121.0 or later, as it includes the security patch.
The vulnerability is particularly dangerous because proof-of-concept exploits are publicly available, and attackers actively scan for vulnerable instances.
Internet-exposed n8n deployments are prime targets, as attackers can exploit the vulnerability to gain access to connected databases, APIs, and third-party services used by workflows, potentially leading to widespread data breaches.
Organizations should prioritize updating n8n installations immediately. Restrict network access using firewalls. Monitor logs for suspicious webhook requests. Review connected integrations and credentials.
Consider using a VPN or a private network instead of exposing your network to the internet. The n8n community and security researchers continue monitoring the threat landscape to identify additional vulnerable instances.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.