Published Sunday, June 14, 2026 at 08:03 PM PT

🚨 BREAKING: Critical n8n Vulnerability Chain Enables Unauthenticated RCE β€” Patch or Isolate Immediately

BLUF: Two chained vulnerabilities in n8n workflow automation platform β€” CVE-2025-68613 and CVE-2026-21858 β€” enable unauthenticated remote code execution. Any organization running exposed n8n instances is at risk of full compromise. Assess exposure and apply mitigations now.

DETAILS

  • Two CVEs chain to unauthenticated RCE: CVE-2025-68613 and CVE-2026-21858 (tracked as “Ni8mare”) have been publicly detailed, with exploit methodology demonstrated. The combination allows an unauthenticated attacker to achieve full compromise of n8n workflow environments.
  • n8n is a high-value target: The platform automates workflows and commonly holds credentials, API keys, and integrations with internal systems β€” making full compromise exceptionally impactful beyond the host itself.
  • Public exploit detail is now available: Hack The Box has published technical breakdown of the exploit chain and released a practice machine (“BloodFlow”), meaning exploit methodology is broadly accessible to threat actors. Weaponization risk is elevated.
  • CVE-2026-21858 designation is notable: The 2026 CVE year designation is unusual and may indicate a pre-publication reserved identifier or a data anomaly β€” treat this detail as unconfirmed pending vendor advisory verification.
  • No patch confirmation available in provided sources: Patch status and affected version ranges have not been confirmed in the information provided. Organizations should consult the n8n official advisory and NIST NVD entries directly.

IMPACT

  • Who: Any organization running n8n instances, particularly those exposed to the internet or accessible without strong authentication controls.
  • What: Automated workflow platforms, internal integrations, stored credentials, connected APIs, and downstream systems reachable via n8n workflows.
  • Scope: Potentially broad β€” n8n is widely used in DevOps, IT automation, and business process environments. A compromised n8n instance may serve as a pivot point into broader infrastructure.
  1. Inventory immediately β€” Identify all n8n instances in your environment, including self-hosted and containerized deployments.
  2. Restrict network exposure β€” If n8n is internet-facing, place behind VPN or restrict access via firewall rules until patched.
  3. Check for indicators of compromise β€” Review n8n logs for unexpected workflow executions, new user creation, or anomalous API calls.
  4. Apply vendor patches β€” Monitor n8n’s official GitHub and security advisories for patch releases; apply immediately upon availability.
  5. Audit stored credentials β€” Assume any credentials stored in n8n workflows may be exposed if instances were reachable prior to mitigation.
  6. Rotate API keys and secrets held within n8n integrations as a precautionary measure.

⚠️ UNCERTAINTY FLAGS

  • CVE-2026-21858 year designation is anomalous β€” verify against official NVD and n8n advisories before citing in formal reporting.
  • Affected version ranges and patch availability are not confirmed in available sources.
  • Active in-the-wild exploitation has not been confirmed β€” current risk is elevated due to public exploit disclosure, not confirmed threat actor activity.

SOURCES

  • Hack The Box: “Ni8mare fuel: Chaining n8n CVEs for full compromise in automated workflows”
  • CVE identifiers: CVE-2025-68613, CVE-2026-21858
  • Verify against: n8n official security advisories, NIST NVD