Critical RCE Vulnerability (CVE-2026-21858) Discovered in n8n Affecting 100,000 Servers

A critical vulnerability CVE-2026-21858 (CVSS 10.0) has been discovered in n8n, affecting versions 1.65 to 1.120.4. It allows unauthenticated remote code execution (RCE) on locally deployed instances, exposing approximately 100,000 servers worldwide. No official workaround is available. The fix requires an update to version 1.121.0 or later. The vulnerability, named Ni8mare, was identified by researchers at Cyera. Technical details and impacts are documented in n8n’s security advisory and databases like the NVD.