Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
FortiBleed Vulnerability Exploited by INC and Lynx Ransomware to Steal Passwords
July 2, 2026
WhatsApp Username Reservations Raise Security Concerns for 2 Billion Users
July 2, 2026
Alleged Scattered Spider Member Extradited to US for 100+ Network Hacks
July 2, 2026
Home/CyberSecurity News/100,000+ n8n Instances Exposed to Internet Vulnerable to RCE Attacks
CyberSecurity News

100,000+ n8n Instances Exposed to Internet Vulnerable to RCE Attacks

Over 100,000 internet-exposed instances of the popular n8n workflow automation platform are currently at severe risk, following the discovery of a critical vulnerability. Security researchers from...

David kimber
David kimber
January 13, 2026 2 Min Read
35 0

Over 100,000 internet-exposed instances of the popular n8n workflow automation platform are currently at severe risk, following the discovery of a critical vulnerability.

Security researchers from The Shadowserver Foundation discovered that 105,753 unique n8n instances are vulnerable to remote code execution (RCE) attacks through CVE-2026-21858.

n8n is a workflow automation platform that connects various applications, services, and databases. Organizations use it to automate business processes, integrate APIs, and manage data flows across their systems.

The platform has gained significant adoption among enterprises and startups for its flexibility and ease of use.

CVE ID CVSS Score Affected Product Vulnerability Type Impact
CVE-2026-21858 10.0 n8n Workflow Automation Remote Code Execution (RCE) Full instance takeover, data exposure

The Vulnerability Explained

CVE-2026-21858 has a CVSS score of 10.0, making it a critical threat. The flaw stems from a content-type confusion issue in n8n’s webhook handling.

Attackers can send specially crafted HTTP requests with manipulated headers to exploit this weakness.

The vulnerability allows unauthenticated attackers to execute arbitrary code on affected servers, read sensitive system files, extract stored credentials and secrets, forge administrator sessions, and ultimately achieve full instance takeover.

No authentication is required, meaning anyone can exploit this vulnerability without any user interaction. The Shadowserver Foundation’s scan conducted on January 9, 2026, identified alarming numbers.

Scan results for n8n CVE-2026-21858 (CVSS 10.0 RCE) for 2026-01-09: 105,753 vulnerable instances by unique IP found – out of 230,562 IPs with n8n we see that day.

Dashboard Tree Map view: https://t.co/L67BdFnBX6

IP data in Vulnerable HTTP reports: https://t.co/qxv0Gv6cAK pic.twitter.com/MhrRuPO10R

— The Shadowserver Foundation (@Shadowserver) January 10, 2026

Out of 230,562 IP addresses running n8n, approximately 105,753 instances were found to be vulnerable. This represents nearly 46 percent of exposed n8n deployments.

The vulnerability primarily affects n8n versions 1.65.0 through 1.120.x. Systems that have not been patched remain at immediate risk.

Organizations running n8n must immediately upgrade to version 1.121.0 or later, as it includes the security patch.

The vulnerability is particularly dangerous because proof-of-concept exploits are publicly available, and attackers actively scan for vulnerable instances.

Internet-exposed n8n deployments are prime targets, as attackers can exploit the vulnerability to gain access to connected databases, APIs, and third-party services used by workflows, potentially leading to widespread data breaches.

Organizations should prioritize updating n8n installations immediately. Restrict network access using firewalls. Monitor logs for suspicious webhook requests. Review connected integrations and credentials.

Consider using a VPN or a private network instead of exposing your network to the internet. The n8n community and security researchers continue monitoring the threat landscape to identify additional vulnerable instances.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachCVEExploitPatchSecurityThreatVulnerability

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

Hackers Leverage Browser-in-the-browser Tactic to Trick Facebook Users and Steal Logins

Next Post

DPRK’s Remote Workers Generating $600M Using Identity Theft to Gain Access to Sensitive Systems

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Reduce Alert Fatigue to Improve SOC Efficiency and Cut Business Costs
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us