100,000+ n8n Instances Exposed to Internet Vulnerable to RCE Attacks

A critical vulnerability affecting the popular n8n workflow automation platform has put over 100,000 internet-exposed instances at severe risk.

Security researchers from The Shadowserver Foundation discovered that 105,753 unique n8n instances are vulnerable to remote code execution (RCE) attacks through CVE-2026-21858.

n8n is a workflow automation platform that connects various applications, services, and databases. Organizations use it to automate business processes, integrate APIs, and manage data flows across their systems.

The platform has gained significant adoption among enterprises and startups for its flexibility and ease of use.

CVE ID	CVSS Score	Affected Product	Vulnerability Type	Impact
CVE-2026-21858	10.0	n8n Workflow Automation	Remote Code Execution (RCE)	Full instance takeover, data exposure

The Vulnerability Explained

CVE-2026-21858 has a CVSS score of 10.0, making it a critical threat. The flaw stems from a content-type confusion issue in n8n’s webhook handling.

Attackers can send specially crafted HTTP requests with manipulated headers to exploit this weakness.

The vulnerability allows unauthenticated attackers to execute arbitrary code on affected servers, read sensitive system files, extract stored credentials and secrets, forge administrator sessions, and ultimately achieve full instance takeover.

No authentication is required, meaning anyone can exploit this vulnerability without any user interaction. The Shadowserver Foundation’s scan conducted on January 9, 2026, identified alarming numbers.

Scan results for n8n CVE-2026-21858 (CVSS 10.0 RCE) for 2026-01-09: 105,753 vulnerable instances by unique IP found – out of 230,562 IPs with n8n we see that day.

Dashboard Tree Map view: https://t.co/L67BdFnBX6

IP data in Vulnerable HTTP reports: https://t.co/qxv0Gv6cAK pic.twitter.com/MhrRuPO10R

— The Shadowserver Foundation (@Shadowserver) January 10, 2026

Out of 230,562 IP addresses running n8n, approximately 105,753 instances were found to be vulnerable. This represents nearly 46 percent of exposed n8n deployments.

The vulnerability primarily affects n8n versions 1.65.0 through 1.120.x. Systems that have not been patched remain at immediate risk.

Organizations running n8n must immediately upgrade to version 1.121.0 or later, as it includes the security patch.

The vulnerability is particularly dangerous because proof-of-concept exploits are publicly available, and attackers actively scan for vulnerable instances.

Internet-exposed n8n deployments are prime targets, as attackers can exploit the vulnerability to gain access to connected databases, APIs, and third-party services used by workflows, potentially leading to widespread data breaches.

Organizations should prioritize updating n8n installations immediately. Restrict network access using firewalls. Monitor logs for suspicious webhook requests. Review connected integrations and credentials.

Consider using a VPN or a private network instead of exposing your network to the internet. The n8n community and security researchers continue monitoring the threat landscape to identify additional vulnerable instances.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post 100,000+ n8n Instances Exposed to Internet Vulnerable to RCE Attacks appeared first on Cyber Security News.