ANDRI.BLOG
AI Tools
6 min read

Critical n8n Flaws: Your AI Workflows Might Be Compromised

Multiple critical vulnerabilities in n8n let any authenticated user take over your server. If you're running AI automation workflows, check this now.

If you're using n8n for AI workflow automation — connecting ChatGPT to your tools, building agents, automating with Claude or local LLMs — you need to stop and update immediately.

Researchers just disclosed multiple critical vulnerabilities (CVE-2026-25049) that let any authenticated user escape n8n's sandbox and take complete control of your server. Not admin users. Any authenticated user who can create or edit workflows.

The exploits are public. Attackers are already scanning for vulnerable instances.

What Is n8n?

n8n is an open-source workflow automation platform — think Zapier, but self-hosted and infinitely more powerful. You can build workflows that connect hundreds of services, run custom JavaScript, and execute complex logic.

For AI work specifically, n8n is popular because you can:

  • Chain multiple AI models together (Claude for analysis, GPT for summarization)
  • Connect LLMs to databases, APIs, and internal tools
  • Build autonomous agents that take actions based on AI responses
  • Automate document processing with vision models
  • Create AI-powered chatbots that integrate with your systems

If you've ever wanted your AI to actually do things — not just chat — n8n is how many people make that happen.

Which is exactly why this vulnerability is so dangerous.

What's the Vulnerability?

n8n lets you write JavaScript expressions in your workflows. To prevent abuse, there's supposed to be a sandbox that restricts what that code can do.

The sandbox is broken. Multiple ways.

Researchers found that with some clever manipulation, any user can escape the sandbox and execute arbitrary code on the n8n server. The attack chain looks like this:

  1. Create a workflow with a malicious JavaScript expression
  2. Bypass the sanitization checks (researchers published exactly how)
  3. Access Node.js internals that should be blocked
  4. Execute any system command you want

"The attack requires nothing special," the researchers note. "If you can create a workflow, you can own the server."

What Can Attackers Do?

Once they've escaped the sandbox, attackers can:

Run system commands. Full shell access to your server. Install malware, create backdoor users, whatever they want.

Steal all your credentials. n8n stores API keys, OAuth tokens, and connection secrets for every service you've integrated. Database passwords, cloud credentials, API keys — all accessible.

Access your filesystem. Read configuration files, environment variables, SSH keys, and anything else on the server.

Hijack your AI workflows. Intercept prompts sent to LLMs, modify responses coming back, redirect traffic to attacker-controlled endpoints. If you're processing sensitive data through AI workflows, it's compromised.

Pivot to connected systems. Those database credentials? Those API keys? Attackers can use them to move into your cloud accounts, internal systems, and connected services.

Access other tenants' data. If you're running n8n in a multi-tenant setup (multiple teams sharing one instance), attackers can potentially access other tenants' workflows and credentials.

Are You Affected?

If you're running n8n, assume yes until proven otherwise.

Check your version:

# Docker
docker exec -it n8n n8n --version

# npm install
n8n --version

Affected versions:

  • All versions before 2.5.2 (latest stable branch)
  • All versions before 1.123.17 (LTS branch)

If you're below those versions, you're vulnerable.

Check if you're exposed to the internet:

Many people run n8n on cloud servers or with exposed ports:

# Check what's listening
ss -tlnp | grep 5678  # n8n default port

If n8n is accessible from the internet, the risk is higher — but even internal-only instances are vulnerable if any user account is compromised.

How to Fix It

Step 1: Update Immediately

This is the priority. Update to version 2.5.2 or 1.123.17 (depending on your branch).

Docker:

docker pull n8nio/n8n:latest
docker-compose down
docker-compose up -d

npm:

npm update -g n8n

Docker Compose update:

Change your docker-compose.yml:

services:
  n8n:
    image: n8nio/n8n:2.5.2  # or n8nio/n8n:1.123.17 for LTS

Then restart:

docker-compose pull
docker-compose up -d

Step 2: Rotate Your Encryption Key

n8n encrypts stored credentials using N8N_ENCRYPTION_KEY. After this vulnerability, assume that key may have been compromised.

Generate a new key:

openssl rand -hex 32

Update your environment:

# .env file or environment
N8N_ENCRYPTION_KEY=your_new_key_here

Warning: Changing the encryption key will break access to existing credentials. You'll need to re-enter them in your workflows.

Step 3: Rotate All Stored Credentials

Any API key, OAuth token, database password, or secret stored in n8n should be considered potentially compromised.

This is tedious but necessary:

  1. List all credentials in n8n (Settings → Credentials)
  2. For each one, go to the source service and rotate the key/password
  3. Update the credential in n8n

Prioritize based on sensitivity: cloud provider keys, database passwords, and payment processor tokens first.

Step 4: Review Your Workflows

Check for suspicious expressions or workflows you didn't create:

  • Look at recently modified workflows
  • Check the execution log for unusual activity
  • Review any workflow containing JavaScript Code nodes

If you find anything suspicious, assume compromise and investigate further.

Step 5: Limit Workflow Creation Permissions

Even after patching, defense in depth matters.

In n8n, not everyone needs the ability to create or edit workflows. If possible:

  • Restrict workflow creation to trusted administrators only
  • Use separate n8n instances for different trust levels
  • Enable workflow version history to track changes

If You Can't Update Immediately

The n8n team provides a temporary workaround, though it's not a complete fix:

  1. Limit workflow permissions: Only allow fully trusted users to create or edit workflows
  2. Harden the environment: Run n8n with minimal OS privileges and restricted network access
  3. Block or limit the Code node: If you're not using JavaScript execution in workflows, consider blocking access to it

These reduce risk but don't eliminate it. Update as soon as possible.

The Bigger Picture

This vulnerability highlights a fundamental tension in automation platforms: power versus safety.

n8n's ability to run arbitrary JavaScript is what makes it useful for complex AI workflows. It's also what makes sandbox escapes so dangerous.

If you're building AI automation — connecting models to real systems, letting agents take actions — you're inherently working with powerful tools that can cause damage if misused.

Some takeaways:

Self-hosted doesn't mean safe. Running your own n8n gives you control, but you're also responsible for security updates. Subscribe to security advisories for tools you self-host.

Audit your credentials regularly. Know what secrets are stored where. Have a process for rotation.

Assume breach for critical updates. When a vulnerability this severe is disclosed with public exploits, assume the worst and act accordingly. Patch, rotate, review.

Defense in depth matters. Even when patched, limit blast radius. Principle of least privilege. Separate environments. Monitoring.

Resources

Update now. Rotate credentials. Review workflows. Then get back to building — this time on a secure foundation.

▸ TAGS
#AI#n8n#security#automation#self-hosted#workflows
▸ STAY IN THE LOOP

Weekly. No spam. No fluff.

← BACK TO ALL ARTICLES