Table of Contents

1. BLUF (Bottom Line Up Front)
2. Executive Summary
3. Key Findings
4. Recommendations
5. Vulnerability Metrics
   • Primary Critical Vulnerabilities
   • Complete Vulnerability Inventory (April 2025 – January 2026)
6. Timeline
7. Technical Details
   • Ni8mare (CVE-2026-21858)
   • Arbitrary File Write via Git Node (CVE-2026-21877)
   • Expression Injection (CVE-2025-68613)
   • Pyodide Sandbox Escape (CVE-2025-68668)
   • MITRE ATT&CK Mapping
8. Supply Chain Attack: Sha1-Hulud
   • Overview
   • Trojanized n8n Packages
   • Worm Behavior
   • MITRE ATT&CK Mapping (Sha1-Hulud)
9. Threat Activity
   • Exploitation Status
   • Ransomware
   • Internet Exposure
10. Indicators of Compromise
    • Sha1-Hulud Supply Chain (High Priority)
    • Ni8mare (CVE-2026-21858) Exploitation Patterns (Network/WAF Detection)
11. Mitigations
    • Patching
    • Temporary Workarounds
    • Configuration Hardening
12. References
    • Official Advisories
    • Vendor/Research Analysis
    • Supply Chain Attack Reports
    • Media Coverage
    • Data Sources
13. Public PoCs
14. Protect Your Infrastructure with Baysec Vulnripper
    • What is Vulnripper?
    • Key Capabilities
    • Why Vulnripper?
    • Plans
    • Contact Us

BLUF (Bottom Line Up Front)

Upgrade n8n to 2.0.0+ immediately. CVE-2026-21858 (Ni8mare, CVSS 10.0) enables unauthenticated RCE on any n8n instance with exposed webhooks. Public exploits exist; Baysec honeypots detected active scanning. If 2.0.0 is not feasible: minimum 1.121.3 (patches Ni8mare + file write RCE). If patching is delayed: disable public webhooks, restrict network access, assume credential exposure. Audit npm dependencies for Sha1-Hulud supply chain compromise (see indicators).

Root cause: Insufficient patch management. The 100,000+ exposed instances running vulnerable versions highlight a systemic failure to keep self-hosted software current. Implement automated patch management (Dependabot, Renovate, or CI/CD version checks) to prevent future exposure windows.

Executive Summary

Between November 2025 and January 2026, the n8n workflow automation platform experienced a cascade of critical security issues, creating what we assess as an extreme risk environment for self-hosted deployments.

Why This Matters: n8n is one of the most popular open-source workflow automation platforms, with 167,000+ GitHub stars and widespread adoption across enterprises, startups, and developers for automating business processes, integrating APIs, and building AI workflows. Its popularity makes it a high-value target-compromising n8n instances provides attackers access to connected systems, stored credentials, and sensitive business logic.

Baysec identified 16 n8n CVEs affecting current deployments through the Baysec CTI Platform, with five rated CVSS 9.1-10.0 (Critical). The most severe, Ni8mare (CVE-2026-21858), enables complete unauthenticated takeover through a Content-Type confusion vulnerability in webhook handlers.

Real-world impact: While we have not attributed any confirmed breaches to these vulnerabilities yet, the combination of:

• 100,000+ exposed instances (Censys Advisory, December 2025)
• Public exploit code available within hours of disclosure
• Supply chain poisoning via the Sha1-Hulud npm worm (see indicators)

This situation creates conditions for widespread compromise. n8n instances typically store API keys, OAuth tokens, database credentials, and cloud access keys, making them high-value targets for initial access and lateral movement.

Baysec CTI assesses this as a critical risk for organizations running self-hosted n8n.

Immediate action: Upgrade to n8n 2.0.0+ (or minimum 1.121.3).

Risk assessment:

• Self-hosted deployments face the highest risk
• n8n Cloud users should consult n8n’s security advisories for Cloud-specific impact per CVE

Key Findings

• Unauthenticated RCE: CVE-2026-21858 (Ni8mare) requires no credentials; attackers can read files, forge admin sessions, and execute commands.
• Multiple critical RCEs: Four vulnerabilities scored CVSS 9.9-10.0 in a two-month period (high CVE counts reflect security research focus on popular software, not inherently poor quality).
• Massive exposure: Censys identified 103,476 potentially vulnerable instances (December 22, 2025); Shodan shows 71,118+ with the n8n banner.
• Supply chain compromise: The Sha1-Hulud npm worm trojanized multiple n8n-nodes-* community packages, stealing credentials and propagating via GitHub Actions.
• Rapid weaponization: Public exploits appeared within 9 hours of Ni8mare disclosure.
• No ransomware attribution yet: We have not confirmed any ransomware victims tied to these CVEs, but credential theft typically precedes ransomware deployment.

Recommendations

The root cause of this exposure is insufficient patch management. Organizations running outdated n8n versions lacked processes to detect and apply security updates promptly. Address this systematically:

1. Inventory all n8n instances including development, staging, production, and test environments.
2. Prioritize patching based on internet exposure and data sensitivity:
   • Minimum: Upgrade to 1.121.3 (patches Ni8mare and critical file write RCE).
   • Recommended: Upgrade to n8n 2.0.0+ (patches critical RCEs including Python sandbox escapes).
3. Implement automated patch management to prevent future exposure:
   • Enable Renovate or Dependabot for automated version updates (both support docker-compose.yml, Dockerfile, npm dependencies)
   • Configure CI/CD pipelines to flag outdated dependencies
   • Subscribe to n8n security advisories for immediate notification
   • Establish SLAs for critical security patches (e.g., 24-48 hours for CVSS 9.0+)
4. Audit npm dependencies for trojanized packages; remove any suspicious n8n-nodes-* packages. See Sha1-Hulud indicators.
5. Rotate credentials stored in n8n: API keys, OAuth tokens, database credentials, cloud access keys.
6. Assume compromise if running unpatched versions with internet exposure.
7. Review network logs for unusual traffic to port 5678 from unfamiliar sources. See Ni8mare exploitation patterns.

Vulnerability Metrics

Primary Critical Vulnerabilities

CVE-2026-21858 (Ni8mare) - Unauthenticated RCE

_{↑ Click heading above to jump to detailed technical analysis}

CVE-2026-21877 - Authenticated Arbitrary File Write → RCE

_{↑ Click heading above to jump to detailed technical analysis}

CVE-2025-68613 - Expression Injection RCE

_{↑ Click heading above to jump to detailed technical analysis}

EPSS Note: CVE-2025-68613 has an EPSS score of 8.42%, placing it in the 92nd percentile - indicating high probability of exploitation in the wild within 30 days.

CVE-2025-68668 - Pyodide Sandbox Escape

_{↑ Click heading above to jump to detailed technical analysis}

Complete Vulnerability Inventory (April 2025 – January 2026)

Vulnerability Intelligence analysis via the Baysec Platform identified 16 n8n CVEs affecting current deployments. Note: High CVE counts often indicate active security research, not inherently poor software quality. n8n’s popularity (167K+ GitHub stars) makes it a high-value research target.

Timeline

Technical Details

Ni8mare (CVE-2026-21858)

Protocol: HTTP webhooks, TCP/5678 (default)

Exploitation requirements:

1. Attacker can reach n8n instance on network
2. Instance has webhook or form endpoints enabled
3. Attack requires no authentication

How It Works

Ni8mare exploits a Content-Type confusion vulnerability in n8n’s webhook handler. The parseRequestBody() function decides whether to invoke a file-upload parser or a regular body parser based on the Content-Type header.

When a webhook is configured to accept multipart/form-data, n8n uses a special upload parser. However, by setting a different Content-Type (e.g., application/json), an attacker can bypass the upload parser while still controlling the req.body.files object.

Exploitation chain:

1
2
3
4
5

1. Send crafted request with manipulated Content-Type
2. Control req.body.files → read arbitrary file (e.g., /home/node/.n8n/database.sqlite)
3. Extract admin credentials and encryption secrets from database
4. Forge admin session cookie → bypass authentication
5. Create workflow with "Execute Command" node → RCE

Payload Example

See Ni8mare Exploitation Patterns in the Indicators of Compromise section for HTTP request indicators, target file paths, and detection patterns.

Affected Versions

Note: Per GitHub Advisory GHSA-v4pr-fm98-w9pg, version 1.65.0 introduced this vulnerability; version 1.121.0 patched it. This CVE does not affect versions prior to 1.65.0.

Arbitrary File Write via Git Node (CVE-2026-21877)

CVE-2026-21877 is a critical authenticated RCE vulnerability allowing attackers to write arbitrary files to the n8n server’s filesystem through the Git node, ultimately enabling code execution.

Exploitation requirements:

1. Authenticated access to n8n (any user account with workflow permissions)
2. Git node must be enabled
3. Attack requires low privileges and no user interaction

How It Works

The Git node in n8n allows users to clone repositories and perform Git operations. However, prior to version 1.121.3, the node lacked proper validation of the repository path parameter. This enabled authenticated attackers to specify arbitrary file system paths, bypassing n8n’s file access restrictions.

Exploitation chain:

1
2
3
4
5

1. Authenticated user creates workflow with Git node
2. Specify malicious repository path pointing to restricted system locations
3. Git node writes attacker-controlled content to arbitrary file paths
4. Overwrite critical files (e.g., package.json, startup scripts, node_modules)
5. Trigger file execution → RCE with n8n process privileges

Attack vectors:

• Overwrite package.json: Inject malicious postinstall scripts that execute on next npm operation
• Modify startup scripts: Replace systemd service files or Docker entrypoints
• Plant backdoors: Write malicious .js files into node_modules or custom node directories
• Credential theft: Overwrite configuration files to exfiltrate stored credentials

Technical Root Cause

The vulnerability stemmed from missing path validation in the Git node implementation. The node accepted user-supplied repositoryPath parameters without checking whether the path was blocked by n8n’s file system security controls.

Fix (version 1.121.3):

1
2
3
4
5
6
7

const isFilePathBlocked = await this.helpers.isFilePathBlocked(repositoryPath);
if (isFilePathBlocked) {
  throw new NodeOperationError(
    this.getNode(),
    'Access to the repository path is not allowed',
  );
}

The patch introduced isFilePathBlocked() validation before any Git operations execute, preventing access to restricted paths.

Affected Versions

Note: Per GitHub Advisory GHSA-v364-rw7m-3263, version 0.123.0 introduced the Git node; version 1.121.3 patched this vulnerability. Versions prior to 0.123.0 are not affected.

Discovery credit: Security researcher Théo Lelasseux

Expression Injection (CVE-2025-68613)

CVE-2025-68613 is a critical authenticated RCE vulnerability in n8n’s workflow expression evaluation system. Authenticated attackers can inject malicious expressions that escape the sandbox and execute arbitrary code with n8n process privileges.

Exploitation requirements:

1. Authenticated access to n8n (any user with workflow creation/edit permissions)
2. Ability to create or modify workflows
3. Attack requires low privileges and no user interaction

How It Works

n8n allows users to embed JavaScript expressions in workflow configurations using {{ }} syntax. These expressions are evaluated at runtime to enable dynamic data processing. To prevent code injection, n8n implements AST-based (Abstract Syntax Tree) protections through the tournament library to block dangerous patterns.

The core vulnerability: The sandbox can be bypassed by accessing Node.js internals through prototype chain manipulation. Attackers craft expressions that reach the process object and use mainModule.require() to load arbitrary Node.js modules.

Exploitation chain:

1
2
3
4
5

1. Authenticated user creates/edits workflow with expression field
2. Inject malicious expression: {{ this.process.mainModule.require('child_process').execSync('id') }}
3. Expression evaluator parses but fails to block prototype chain access
4. Node.js child_process module loaded at runtime
5. Arbitrary system command executed with n8n privileges

Bypass techniques observed in the wild:

1
2
3
4
5
6
7
8

// Direct prototype access
this.process.mainModule.require('child_process').execSync('whoami')

// Constructor chain bypass
this.constructor.constructor('return process')().mainModule.require('child_process')

// Global object access
global.process.mainModule.require('fs').readFileSync('/etc/passwd')

Technical Root Cause

Tournament library limitations: While AST-based filtering blocks obvious dangerous patterns like direct require() calls, it cannot prevent:

1. Prototype chain traversal — Accessing process via this.process or constructor chains
2. Dynamic property access — Using bracket notation to evade static analysis
3. Indirect module loading — Reaching require through mainModule rather than direct calls

The fix in versions 1.120.4/1.121.1/1.122.0 added additional blocked patterns and strengthened the expression sandbox context.

Affected Versions

Note: Per GitHub Advisory GHSA-v98v-ff95-f3cp, version 0.211.0 introduced the vulnerability. Version 1.121.0 contained a regression, requiring a separate patch in 1.121.1.

Detection patterns: See CVE-2025-68613 Behavioral Indicators in the IoC section.

Pyodide Sandbox Escape (CVE-2025-68668)

CVE-2025-68668, codenamed “N8scape”, is a critical protection mechanism failure in n8n’s Python Code Node that enables authenticated attackers to escape the Pyodide WebAssembly sandbox and execute arbitrary system commands.

Exploitation requirements:

1. Authenticated access to n8n (any user with workflow creation/modification permissions)
2. Python Code Node enabled (default configuration)
3. Attack requires low privileges and no user interaction

How It Works

The Python Code Node relies on Pyodide, a WebAssembly-compiled Python runtime designed for browser environments. While Pyodide provides execution isolation through WebAssembly, it was never designed as a security sandbox - it’s optimized for interoperability, not hostile-code isolation.

The core architectural flaw: Pyodide exposes first-class Python-JavaScript interoperability as a feature. Authenticated attackers can abuse this bridge to:

1. Access JavaScript globals from within Python code
2. Reach Node.js internals through the JavaScript execution context
3. Invoke native system commands using Node.js child_process module
4. Execute with full n8n process privileges

Trust boundary violation:

The vulnerability represents a design-level failure in how trust boundaries were defined between multiple runtimes (Python/WebAssembly/JavaScript/Node.js) operating inside the same process. The Pyodide sandbox was treated as a security boundary when it fundamentally isn’t one.

Exploitation chain:

1
2
3
4
5

1. Authenticated user creates workflow with Python Code Node
2. Craft Python code that accesses JavaScript interop features
3. Use Python-JavaScript bridge to reach Node.js process context
4. Import child_process or other Node.js modules
5. Execute arbitrary system commands → Full RCE with n8n privileges

Technical Root Cause

Pyodide is not a hardened security sandbox. Key issues:

1. Designed for interoperability, not isolation - Pyodide’s core feature is seamless Python↔JavaScript interaction
2. Shared process context - Python code runs in the same Node.js process as n8n
3. No security boundaries - WebAssembly memory isolation doesn’t prevent access to JavaScript globals
4. Trust assumption mismatch - n8n treated Pyodide as a security boundary when it’s just a runtime environment

Fix (version 2.0.0)

n8n 2.0.0 introduced task-runner-based sandboxing, fundamentally changing the execution model:

Old model (vulnerable):

• Python code executes via Pyodide in the same Node.js process as n8n
• Shared memory space and JavaScript context
• No process-level isolation

New model (secure):

• Python code executes in separate task runner processes
• Process-level isolation from main n8n process
• Native Python interpreter (not WebAssembly)
• Restricted capabilities and resource limits

Configuration (n8n 2.0.0+):

1
2
3

# Enable secure task runner execution (default in 2.0.0+)
N8N_RUNNERS_ENABLED=true
N8N_NATIVE_PYTHON_RUNNER=true

Affected Versions

Note: Task-runner-based Python execution was introduced as an optional feature in n8n 1.111.0 and became the default in 2.0.0.

Discovery credit: Security researchers Vladimir Tokarev and Ofek Itach from Cyera Research Labs

MITRE ATT&CK Mapping

Supply Chain Attack: Sha1-Hulud

Overview

A separate campaign, the “Sha1-Hulud: The Second Coming” npm worm, has compromised hundreds of npm packages including n8n community nodes. This supply chain attack began in November 2025 and represents one of the fastest-spreading npm supply chain attacks on record. Notable victim: Trust Wallet (estimated $8.5M cryptocurrency loss, December 2025).

See Sha1-Hulud Supply Chain indicators for malicious packages, file-based indicators, and detection queries.

Trojanized n8n Packages

Baysec CTI identified the following malicious packages via OSV_DATABASE (Google Open Source Security, GHSA Malware, Amazon Inspector):

Worm Behavior

1. Pre-install execution: Malicious preinstall script executes before any security scans
2. Bun runtime installation: Drops setup_bun.js to install Bun runtime if not present
3. Credential harvesting: Obfuscated bun_environment.js (~480k lines) scans for npm tokens, GitHub PATs, AWS/GCP/Azure credentials, SSH keys
4. Exfiltration via GitHub: Stolen secrets published to public repos with description “Sha1-Hulud: The Second Coming”
5. GitHub Actions backdoor: Creates self-hosted runner named “SHA1HULUD” and injects .github/workflows/discussion.yaml with command injection
6. Self-propagation: Publishes malicious versions of up to 100 packages owned by the victim
7. Dead man’s switch: Threatens data destruction if exfiltration channels are severed

MITRE ATT&CK Mapping (Sha1-Hulud)

Threat Activity

Exploitation Status

Public exploits are available and weaponized. Chocapikk released the PoC within 9 hours of disclosure, combining CVE-2026-21858 with CVE-2025-68613 for a full unauthenticated RCE chain.

Active Scanning: Baysec honeypots detected reconnaissance and scanning activity targeting n8n instances on port 5678, confirming that threat actors are actively probing for vulnerable deployments.

Confirmed Breaches: As of January 8, 2026, we have not identified any confirmed real-world breaches directly attributed to these n8n vulnerabilities. However, given the availability of public exploits, active scanning, and massive exposure, exploitation in the wild is highly probable. Organizations should assume unpatched instances may already be compromised.

Ransomware

We have not identified any ransomware victims linked to n8n CVEs so far. However, attackers who exploit workflow automation platforms for credential access often follow up with ransomware deployment. Baysec CTI is continuing to monitor for ransomware activity targeting n8n instances.

Internet Exposure

Top countries: United States (7,079), Germany (4,280), France (2,655), Brazil (1,347), Singapore (1,129)

Top cloud providers: AWS, Google Cloud, Hetzner

Vulnerable versions observed in the wild:

• CVE-2026-21858: Versions 1.65.0 – 1.120.x (patched in 1.121.0)
• CVE-2025-68613: Versions 0.211.0 through 1.120.3, 1.121.0, and 1.122.x before patches
• Many exposed instances running outdated versions without recent security updates

Indicators of Compromise

Sha1-Hulud Supply Chain (High Priority)

Malicious npm packages - remove immediately if present:

File-based indicators:

1
2
3

node_modules/**/setup_bun.js
node_modules/**/bun_environment.js
~/.dev-env/

GitHub indicators:

• Self-hosted runner name: SHA1HULUD
• Malicious workflow: .github/workflows/discussion.yaml
• Repository description containing: "Sha1-Hulud: The Second Coming"

Detection & Hunt Queries:

GitHub search for compromised repos:

1
2
3
4
5

# Search repository descriptions
"Sha1-Hulud: The Second Coming" in:description

# Search for backdoor workflow
filename:discussion.yaml path:.github/workflows

Local system indicators:

1
2
3
4
5
6
7
8

# Check for malicious scripts in node_modules
find node_modules -name "setup_bun.js" -o -name "bun_environment.js"

# Check for Sha1-Hulud staging directory
ls -la ~/.dev-env/

# Audit installed n8n packages
npm ls | grep -E "n8n-nodes-(phoai|vercel|pgp|tmdb|viral|performance)"

GitHub audit log (organization):

• Self-hosted runners named “SHA1HULUD”
• Unexpected workflow files: .github/workflows/discussion.yaml
• New repos with “Sha1-Hulud” in description

Ni8mare (CVE-2026-21858) Exploitation Patterns (Network/WAF Detection)

HTTP request indicators:

1
2
3
4

Method: POST
URI patterns: /webhook/*, /form/*, /form-test/*
Content-Type: application/json (on endpoints expecting multipart/form-data)
Body contains: "files":[{"filepath":

Detailed network indicators:

• Content-Type: application/json on a Form/webhook endpoint expecting multipart/form-data
• JSON body containing "files" array with "filepath" pointing to sensitive paths
• POST /webhook/* or POST /form/* requests with Content-Type: application/json containing "files" object with path traversal patterns (../, /etc/, /home/node/.n8n/)
• Large response bodies from webhook endpoints (indicating file exfiltration)

Target file paths in request body:

1
2
3
4

/home/node/.n8n/database.sqlite
/home/node/.n8n/config
/etc/passwd
../.n8n/database.sqlite

Response indicators (successful exploitation):

• Unusually large response body (database exfiltration: 1MB+)
• SQLite file header in response: SQLite format 3

User-Agent patterns observed in PoCs:

1
2

python-requests/*
curl/*

Behavioral indicators (endpoint/workflow level):

• New workflows containing “Execute Command” or “Code” nodes created by unknown users
• Unexpected process spawns from the n8n service (e.g., /bin/sh, curl, wget)
• Abnormal file access to /home/node/.n8n/database.sqlite or /home/node/.n8n/config
• Session cookie changes or new admin sessions from unfamiliar IPs
• Lateral movement attempts from n8n server to internal systems

CVE-2025-68613 (Expression Injection) Behavioral Indicators

Workflow-level detection patterns:

Malicious expression patterns in workflow configurations:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

// Sandbox escape attempts
this.process.mainModule.require()
process.mainModule.require('child_process')
this.constructor.constructor('return process')()

// Node.js module access patterns
require('child_process')
require('fs')
require('net')

// Process manipulation
process.mainModule
process.binding
global.process

Workflow audit queries:

Check workflow JSON for suspicious expression patterns:

1
2
3
4
5
6
7

# Search workflow exports for sandbox escape attempts
grep -r "mainModule\.require" /home/node/.n8n/workflows/
grep -r "constructor\.constructor" /home/node/.n8n/workflows/
grep -r "process\.binding" /home/node/.n8n/workflows/

# Database query (SQLite)
sqlite3 /home/node/.n8n/database.sqlite "SELECT id, name, nodes FROM workflow_entity WHERE nodes LIKE '%mainModule%' OR nodes LIKE '%constructor.constructor%';"

Runtime behavioral indicators:

• Unexpected child processes spawned by n8n (check ps aux | grep n8n)
• Outbound network connections to external IPs from n8n process
• File system modifications outside /home/node/.n8n/ directory
• Execution of system commands (sh, bash, curl, wget, nc) as child processes of n8n

Log patterns (n8n application logs):

• Expression evaluation errors mentioning mainModule, require, or process
• Workflow execution failures with sandbox escape error messages
• Unusual workflow execution times (complex evasion attempts take longer)

Mitigations

Detection Challenge: Ni8mare exploitation occurs in HTTP request bodies, which standard web server access logs don’t capture. Reliable detection requires inline network inspection (IDS/WAF) or reverse proxy request body logging-infrastructure most organizations don’t have at the n8n layer. Prioritize patching over detection.

Patching

Upgrade to fixed versions:

Why 2.0.0? Version 1.121.x patches the critical unauthenticated Ni8mare vulnerability, but CVE-2025-68668 (Pyodide sandbox escape) and CVE-2025-68697 (Legacy Code node) are only fixed in 2.0.0 via task-runner-based sandboxing. Organizations using Python Code nodes or legacy execution modes remain vulnerable until upgrading to 2.0.0+.

Temporary Workarounds

If patching requires delay:

For CVE-2026-21877 (Arbitrary File Write via Git node):

1
2
3
4
5

# Disable Git node entirely
NODES_EXCLUDE='["n8n-nodes-base.git"]'

# Or combine with other high-risk nodes
NODES_EXCLUDE='["n8n-nodes-base.code","n8n-nodes-base.executeCommand","n8n-nodes-base.git"]'

Additionally: Limit untrusted user access to workflow creation/editing.

For CVE-2026-21858 (Unauthenticated RCE via webhooks):

Disable webhook/form nodes entirely:

1

NODES_EXCLUDE='["n8n-nodes-base.webhook","n8n-nodes-base.formTrigger"]'

For CVE-2025-68613 and CVE-2025-68668 (Code execution nodes):

1
2
3
4
5
6

# Disable Code node and Execute Command node
NODES_EXCLUDE='["n8n-nodes-base.code","n8n-nodes-base.executeCommand"]'

# Restrict file system access (n8n 2.0+)
N8N_RESTRICT_FILE_ACCESS_TO="/allowed/path"
N8N_BLOCK_FILE_ACCESS_TO_N8N_FILES=true

Implementation:

• Docker Compose: Add to environment: section in docker-compose.yml
• Systemd: Add to Environment= in service file (/etc/systemd/system/n8n.service)
• npm/Direct Install: Add to .env file in n8n installation directory
• IMPORTANT: Restart n8n after configuration changes (docker compose restart / systemctl restart n8n / restart process)

Configuration Hardening

Enable task-runner sandboxing (n8n 2.0.0+):

1
2

N8N_RUNNERS_ENABLED=true
N8N_NATIVE_PYTHON_RUNNER=true

References

Official Advisories

• CIRCL – CVE-2026-21858
• CIRCL – CVE-2026-21877
• CIRCL – CVE-2025-68613
• CIRCL – CVE-2025-68668
• GitHub Advisory – GHSA-v364-rw7m-3263 (CVE-2026-21877)
• GitHub Advisory – GHSA-v98v-ff95-f3cp (CVE-2025-68613)
• Canadian Cyber Centre – AV26-004

Vendor/Research Analysis

• Cyera Research Labs – Ni8mare Technical Analysis
• Orca Security – CVE-2025-68613 Analysis
• SOCRadar – CVE-2025-68613
• SOCRadar – CVE-2025-68668 Python Code Node
• Upwind – CVE-2026-21858 Assessment
• Resecurity – CVE-2025-68613 Analysis
• CSO Online – Critical RCE flaw in n8n
• n8n Commit Fix (CVE-2026-21877)

Supply Chain Attack Reports

• Datadog Security Labs – Shai-Hulud 2.0 Analysis
• Check Point – Shai-Hulud 2.0 Deep Dive
• Microsoft Security Blog – Shai-Hulud 2.0: Guidance for detecting, investigating, and defending
• GitLab Advisory – n8n-nodes-vercel-ai-sdk
• GitLab Advisory – n8n-nodes-tmdb

Media Coverage

• BleepingComputer – Max severity Ni8mare flaw
• TheHackerNews – Critical n8n Vulnerability (CVSS 10.0)
• SecurityAffairs – Ni8mare flaw
• CyberScoop – Researchers rush to warn defenders

Data Sources

Primary (Baysec CTI Platform):

• Baysec CTI: Vulnerability intelligence, Sha1-Hulud malicious package identification, threat actor attribution, MITRE ATT&CK mapping
• Baysec Vulnripper: n8n CVE inventory, patch tracking, affected version analysis
• Baysec Intelligence (AI): Threat correlation, timeline reconstruction, attribution analysis

Corroborating (External):

• Shodan: 71,118 exposed n8n instances (2026-01-08)
• Censys: 103,476 potentially vulnerable instances (2025-12-22)
• Shodan CVEDB: n8n vulnerability dashboard

Public PoCs

Warning: Verify all PoC code before execution. Threat actors actively distribute malware through fake exploit repositories on GitHub, targeting security researchers with lures for recent CVEs. In December 2025, we observed campaigns distributing Webrat RAT through weaponized PoC repos. Review code manually, run in isolated environments, and cross-reference with trusted sources. See our December 2025 Threats Summary for details.

Protect Your Infrastructure with Baysec Vulnripper

What is Vulnripper?

Vulnripper is an offline-first vulnerability intelligence tool for security teams managing self-hosted infrastructure. It provides instant CVE lookups, network scanning, and optional threat intelligence enrichment-all without requiring constant internet connectivity.

The n8n problem: Of the 100,000+ exposed n8n instances, most organizations didn’t know they were running vulnerable versions until exploitation began. Vulnripper would have flagged these automatically.

Key Capabilities

Why Vulnripper?

• Works completely offline if needed for air-gapped environments and penetration tests
• Connects to Baysec CTI services for enriched threat intelligence
• Easy deployment and installation - agents or network scanning without disrupting operations
• Clear reports that help security teams take action quickly

Plans

Contact Us

Ready to identify vulnerabilities before attackers do?

• Email: kontakt@baysec.eu
• Phone: +48 786 432 409
• Website: baysec.eu