Welcome to this first edition of the APIsecurity newsletter for 2026, I’m Philippe Leothaud, CTO and co-founder of 42Crunch, and your new Newsletter Editor. I’d like to thank Anthony Lonergan for the excellent work he’s done over the years building this newsletter into a trusted source for API security news and insights. I’ll continue that tradition — with a strong focus on real-world API incidents, design-time protections, and the growing impact of automation and AI on API ecosystems.
Below are the most significant API-relevant security stories from the last few weeks — from critical RCEs to gateway authentication bypasses and automation-platform exploits and an excellent article on BOLA.
Vulnerability: Ni8mare – Critical Unauthenticated RCE in n8n Workflows
A new critical vulnerability in the n8n workflow automation platform — tracked as CVE-2026-21858 and dubbed Ni8mare — discovered by the Data Security Platform vendor Cyera has shaken the automation world with its maximum CVSS 10.0 severity and unauthenticated remote code execution potential.
The issue stems from a Content-Type parsing confusion in n8n webhooks and form requests, enabling attackers to override expected input structures and read arbitrary server files, including configuration and authentication secrets. With those secrets, attackers can forge administrative sessions and build malicious workflows that execute arbitrary code without valid credentials.
Because n8n sits at the heart of many API integrations and automation pipelines, a compromised instance can pivot into broader environments. All internet-accessible deployments prior to v1.121.0 are vulnerable and should be patched immediately; restricting public webhook and form endpoints can reduce exposure in the meantime.
See the full analysis by Cyera Research Labs
Vulnerability: IBM API Connect – Critical Authentication Bypass
IBM has disclosed and patched a critical authentication bypass in IBM API Connect, rated CVSS 9.8.
Classified as CWE-305: Authentication Bypass by Primary Weakness, this flaw allows remote attackers with no privileges and no user interaction to bypass authentication and gain unauthorized access to API Connect’s management interfaces.
Successful exploitation can expose sensitive API configurations, administrative functions, and backend services without valid credentials — undermining a core access control layer in API infrastructure.
Affected versions include 10.0.8.0 through 10.0.8.5 and 10.0.11.0; IBM has published interim fixes (iFixes) to remediate the issue. Customers unable to patch immediately should harden access to management interfaces as an interim control.
Some information is available, though the details of the problem were not unveiled publicly.
Vulnerability: HPE OneView – RCE via unauthenticated REST API operation
A maximum-severity RCE flaw has been disclosed in Hewlett Packard Enterprise OneView, a centralized infrastructure management platform.
This vulnerability exists in a REST API endpoint (/rest/id-pools/executeCommand) that accepts command parameters without proper authentication, allowing unauthenticated attackers to inject and execute arbitrary code on affected servers. Rapid7’s research highlights how the lack of authentication enforcement in the executeCommand API effectively exposes powerful control functions to attackers.
Because OneView manages servers, firmware, networking, and lifecycle workflows, exploitation can lead to full infrastructure compromise. U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added it to its Known Exploited Vulnerabilities catalog, underscoring active risk. Affected installations should update to v11.0 or apply vendor hotfixes immediately.
Vulnerability: SmarterMail – Pre-Auth RCE in Email Server
After the n8n vulnerability, another file upload-based issue opening the door to unauthenticated remote code execution was identified in SmarterTools’ SmarterMail platform, earning a CVSS 10.0 rating and prompting advisories from Singapore’s Cyber Security Agency (CSA).
WatchTowr Labs’, as always, excellent analysis shows that an unauthenticated file-upload API (/api/upload) fails to validate user-supplied path parameters (contextData), enabling path traversal and writing of files (such as web shells) to arbitrary locations. Attackers can upload a malicious .aspx shell into a web-visible directory, leading to full RCE under the SmarterMail service context.
The issue was silently patched in Build 9413 (October 2025) and the public advisory lagged, creating a significant exposure window for internet-facing deployments. Administrators should update immediately and audit for unauthorized artifacts.
Article: Do you really understand BOLA?
In our last issue of 2025, we pointed out the most frequent vulnerabilities identified in this newsletter in the previous 12 months. Number 2 on that list was BOLA (Broken Object Level Authorization). BOLA is still a major problem. In his recent article on Hackernoon, Igboanugo David Ugochukwu gives an excellent, detailed explanation of BOLA, the #1 API security vulnerability identified by OWASP.
He asks a simple question: “So once I’m logged in as User 47, what stops me from just requesting User 48’s data?” As he rightly pointed out “the vulnerability that sounds boring in conference talks but costs companies their entire customer database on a Tuesday afternoon!”
And his advice on how to fix it? “…you need every engineer who touches user data to ask, ‘Am I checking that this user is allowed to access this specific object?” Every time. No exceptions.”..”
BOLA needs a proper DevSecOps approach, and too many people are not tackling it correctly, resulting in many APIs today probably leaking data right now.
Webinar: State of API Security 2026
Join Anthony Lonergan and Heshaam Attar later this month for a webinar introducing the State of API Security Report.
The 2026 report delivers a data-driven analysis of real-world API vulnerabilities, showing how common mistakes in implementation translate into security risks in production.
Drawing on two years of investigative research from the industry’s leading APIsecurity.io newsletter that includes cases from a wide range of independent sources, the webinar highlights the most common API flaws, from broken input validation and missing authentication to operation-level authorization failures.
Get API Security news directly in your Inbox.
By clicking Subscribe you agree to our Data Policy
