🛡️ 🚨 BREAKING: Critical n8n Vulnerability Chain Enables Unauthenticated RCE — Patch or Isolate Immediately
Published Sunday, June 14, 2026 at 08:03 PM PT BLUF: Two chained vulnerabilities in n8n workflow automation platform — CVE-2025-68613 and CVE-2026-21858 — enable unauthenticated remote code execution. Any organization running exposed n8n instances is at risk of full compromise. Assess exposure and apply mitigations now. DETAILS Two CVEs chain to unauthenticated RCE: CVE-2025-68613 and CVE-2026-21858 (tracked as “Ni8mare”) have been publicly detailed, with exploit methodology demonstrated. The combination allows an unauthenticated attacker to achieve full compromise of n8n workflow environments. n8n is a high-value target: The platform automates workflows and commonly holds credentials, API keys, and integrations with internal systems — making full compromise exceptionally impactful beyond the host itself. Public exploit detail is now available: Hack The Box has published technical breakdown of the exploit chain and released a practice machine (“BloodFlow”), meaning exploit methodology is broadly accessible to threat actors. Weaponization risk is elevated. CVE-2026-21858 designation is notable: The 2026 CVE year designation is unusual and may indicate a pre-publication reserved identifier or a data anomaly — treat this detail as unconfirmed pending vendor advisory verification. No patch confirmation available in provided sources: Patch status and affected version ranges have not been confirmed in the information provided. Organizations should consult the n8n official advisory and NIST NVD entries directly. IMPACT Who: Any organization running n8n instances, particularly those exposed to the internet or accessible without strong authentication controls. What: Automated workflow platforms, internal integrations, stored credentials, connected APIs, and downstream systems reachable via n8n workflows. Scope: Potentially broad — n8n is widely used in DevOps, IT automation, and business process environments. A compromised n8n instance may serve as a pivot point into broader infrastructure. RECOMMENDED ACTIONS Inventory immediately — Identify all n8n instances in your environment, including self-hosted and containerized deployments. Restrict network exposure — If n8n is internet-facing, place behind VPN or restrict access via firewall rules until patched. Check for indicators of compromise — Review n8n logs for unexpected workflow executions, new user creation, or anomalous API calls. Apply vendor patches — Monitor n8n’s official GitHub and security advisories for patch releases; apply immediately upon availability. Audit stored credentials — Assume any credentials stored in n8n workflows may be exposed if instances were reachable prior to mitigation. Rotate API keys and secrets held within n8n integrations as a precautionary measure. ⚠️ UNCERTAINTY FLAGS CVE-2026-21858 year designation is anomalous — verify against official NVD and n8n advisories before citing in formal reporting. Affected version ranges and patch availability are not confirmed in available sources. Active in-the-wild exploitation has not been confirmed — current risk is elevated due to public exploit disclosure, not confirmed threat actor activity. SOURCES Hack The Box: “Ni8mare fuel: Chaining n8n CVEs for full compromise in automated workflows” CVE identifiers: CVE-2025-68613, CVE-2026-21858 Verify against: n8n official security advisories, NIST NVD