Critical n8n Vulnerability Exposes Tens of Thousands of Systems to Attack
Security researchers have identified a severe vulnerability in n8n, a popular open-source workflow automation platform, which could allow attackers to bypass automation controls and gain access to sensitive credentials. Tracked as CVE-2026-21858, the flaw has a maximum severity score of 10 and stems from a "content-type confusion" bug in the platform’s standards modes.
The vulnerability poses significant risks, as compromising an n8n environment could expose credentials for high-value services, including Salesforce, AWS, and OpenAI. Given n8n’s role in AI-driven automation and enterprise workflows, the impact of exploitation could be widespread.
Initial scans by Shadowserver detected over 105,000 vulnerable instances out of approximately 230,000 deployments, though the number has since dropped to around 59,500. Separately, Censys reported more than 26,000 exposed hosts.
Researchers at Cyera first disclosed the vulnerability to n8n in November, and patches were released to users on November 18. The recommended fix is upgrading to version 1.121.0 or later. As of now, there is no evidence of active exploitation.
Source: https://www.cybersecuritydive.com/news/critical-vulnerability-n8n-automation-platform/809360/
n8n TPRM report: https://www.rankiteo.com/company/n8n
"id": "n8n1768244907",
"linkid": "n8n",
"type": "Vulnerability",
"date": "1/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Over 59,500 vulnerable '
'instances',
'industry': 'Technology/Automation',
'name': 'n8n',
'type': 'Software Vendor'}],
'attack_vector': 'Content-Type Confusion Bug',
'customer_advisories': 'Users advised to upgrade to version 1.121.0',
'data_breach': {'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Credentials (Salesforce, AWS, '
'OpenAI)'},
'date_detected': '2023-11-01',
'description': 'Security researchers warn that tens of thousands of systems '
'may be exposed to a critical vulnerability in n8n, a widely '
'used open-source workflow automation platform. The '
'vulnerability, tracked as CVE-2026-21858, could allow an '
'attacker to bypass automation entirely by using a '
"'content-type confusion' bug in standards modes. Compromising "
'an n8n environment could allow an attacker to gain widespread '
'access to sensitive credentials, including Salesforce, AWS, '
'and OpenAI.',
'impact': {'data_compromised': 'Sensitive credentials (Salesforce, AWS, '
'OpenAI)',
'identity_theft_risk': 'High (due to credential exposure)',
'operational_impact': 'Potential bypass of automation workflows',
'systems_affected': 'n8n workflow automation platform'},
'investigation_status': 'Ongoing (no evidence of exploitation as of '
'disclosure)',
'post_incident_analysis': {'corrective_actions': 'Patch released (version '
'1.121.0)',
'root_causes': 'Content-type confusion bug in '
"n8n's standards modes"},
'recommendations': 'Upgrade to n8n version 1.121.0 to mitigate the '
'vulnerability.',
'references': [{'source': 'Cyera'},
{'source': 'Shadowserver'},
{'source': 'Censys'}],
'response': {'containment_measures': 'Patch released (version 1.121.0)',
'remediation_measures': 'Users advised to upgrade to version '
'1.121.0'},
'title': 'Critical Vulnerability in n8n Workflow Automation Platform '
'(CVE-2026-21858)',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': 'CVE-2026-21858'}