N8n的一处严重缺陷让攻击者远程接管自托管系统;更新为1.121.0版或以后。 A critical flaw in n8n lets attackers take over self-hosted systems remotely; update to version 1.121.0 or later.

在n8n自动化平台中存在一个关键漏洞,CVE-2026-21858,被称为"Ni8mare",允许未经认证的远程代码执行,CVSS分数为10.0. A critical vulnerability, CVE-2026-21858, dubbed "Ni8mare," in the n8n automation platform allows unauthenticated remote code execution with a CVSS score of 10.0. Cyera发现,它源于内容型混淆的缺陷,使攻击者能够操纵HTTP信头,在自办的场合上获得系统的全面访问。 Discovered by Cyera, it stems from a Content-Type confusion flaw enabling attackers to manipulate HTTP headers and gain full system access on self-hosted instances. 这种缺陷影响到广泛使用的自营部署,有1亿多多多克拉力和数千个组织依靠n8n进行整合。 The flaw affects widely used self-hosted deployments, with over 100 million Docker pulls and thousands of organizations relying on n8n for integrations. 不存在变通办法,用户必须升级到1.121.0版或以后。 No workaround exists, and users must upgrade to version 1.121.0 or later. N8n小组在2025年11月9日接到通知后9天内解决了这个问题。 The n8n team patched the issue within nine days of being notified on November 9, 2025.