Dispatch
n8n CVE-2026-21858 Technical Deep-Dive: Content-Type Confusion to Admin RCE Chain
Cyera Research Labs published the full exploit chain for Ni8mare: manipulating Content-Type from multipart/form-data to application/json bypasses file validation in n8n's webhook node, enabling directory traversal to read the SQLite DB and AES-256 encryption key, forging admin session cookies, and deploying a malicious workflow with shell exec capabilities. Horizon3.ai separately confirmed the attack is fully scriptable and trivially weaponizable against exposed instances.
↳ Follow the thread