PRP: n8n - Ni8mare - Unauthenticated Remote Code Execution in n8n (CVE-2026-21858)

[frkngksl]

• Identifier of the vulnerability: CVE-2026-21858 - Ni8mare - CVSS 10.0
• Affected software: n8n
• Type of vulnerability: Admin Token Forge to RCE
• Requires authentication: No
• Language you would use for writing the plugin: Templated plugins
• Resources:
  • https://www.cyera.com/research-labs/ni8mare-unauthenticated-remote-code-execution-in-n8n-cve-2026-21858
  • https://github.com/Chocapikk/CVE-2026-21858
  • GHSA-v4pr-fm98-w9pg
  • https://thehackernews.com/2026/01/critical-n8n-vulnerability-cvss-100.html

[github-actions]

Welcome to the Tsunami patch reward program!

Your issue has been added to our triage queue and will reviewed
shortly. The panel usually takes a decision once per week, so it
can take up to a week before you hear back from us.

Please, do not start the work until the panel has reached a
decision. Although we always welcome contributions, unapproved
work is not eligible for a reward.

~The Tsunami PRP team

[github-actions]

This message is addressed to the Tsunami panel.

Contributor stats

• The contributor has 1 issues tagged as main;
• The contributor has 2 issues tagged as queue.

Useful links

• All open issues from this contributor
• All open PRs from this contributor