n8n Agent Security Risks

Custom Workflow Agents n8n.io Exposed Giants
AI RISK QUADRANT POSITION DEFENSE CONTROLS (4) ATTACK SURFACE (7.41) EXPOSED GIANTS FORTIFIED LEADERS HUMBLE PROVIDERS TIGHT OPERATORS
AIRQ Score
5.95
High
Attack Surface
7.41
Critical
Blast Radius
8
Critical
Defense Controls
4
High
About The Agent

n8n is a self-hostable workflow automation platform that runs as a long-lived daemon with full access to the host filesystem, network stack, and an encrypted credential store holding OAuth tokens, API keys, and database passwords for hundreds of configured integrations. Its AI Agent node delegates reasoning to interchangeable LLMs while granting tool-calling authority over arbitrary code execution, shell commands, HTTP requests, and community-contributed npm packages that execute in the same runtime without sandboxing.

About the AI Risk Quadrant

Exposed Giants placement reflects that n8n combines near-maximum attack surface exposure and blast radius with minimal default defense controls. The platform accepts unauthenticated public input, executes code with daemon-level privileges through repeatedly bypassed sandboxes, decrypts the full credential store at runtime, and sends unrestricted outbound HTTP requests — while shipping no input guardrails, no output filtering, and only opt-in execution isolation and monitoring.

1 Key Risks

The most critical security risks an operator inherits when deploying this agent in its documented default configuration. n8n combines unrestricted inbound input channels, repeatedly bypassed execution sandboxes, autonomous credential-backed actions, absent output filtering, and opt-in-only monitoring on its documented default configuration.

Key Input Risks
Webhooks and Form nodes accept unauthenticated HTTP requests from the public internet that flow directly into expression evaluation without content validation or filtering. A government advisory and independently confirmed unauthenticated file-access vulnerability [1] [19] anchor the public-facing input exposure.
Key Execution Risks
The default internal task runner executes JavaScript and Python as a child process sharing the n8n daemon's uid and gid, providing no meaningful isolation boundary. Independent security researchers have repeatedly bypassed the AST-based expression sandbox to achieve full host-level remote code execution [2] [3] [9].
Key Action Risks
Cron and interval triggers fire workflow executions autonomously without per-action operator approval, granting credential-backed API calls, database mutations, filesystem writes, and shell commands on schedule. The credential store decrypts all stored OAuth tokens and API keys at runtime for any activated workflow [4] [18].
Key Output Risks
Workflow responses and binary data objects flow to callers and downstream consumers without DLP, credential redaction, or URL sanitization in the default output pipeline. Stored cross-site scripting via inline binary data without Content-Security-Policy headers enables session hijacking in higher-privileged user contexts [8].
Key Monitoring Risks
Execution history is logged to the internal database with per-execution status and timing, but behavioral anomaly detection and SIEM forwarding are not active by default. OpenTelemetry integration is documented as opt-in, leaving the operator blind to exploitation patterns unless external monitoring infrastructure is provisioned [16].

2 AIRQ Scores

The four headline scores quantify how exposed the agent is, how damaging a successful attack would be, and how much the agent’s own controls reduce that risk. n8n scores at the high end of combined risk where broad attack exposure meets minimal default safeguards across all five defense components.

AIRQ Metrics

The platform lands in Exposed Giants because its attack surface and blast radius both approach their respective ceilings while defense controls remain near the floor of the scale.

Each metric below measures one dimension of operator-inherited risk: Attack Surface out of ten, Blast Radius out of ten, Defense Controls out of fifteen, and the AIRQ composite out of fifteen.

Metric Score Comments
AIRQ Score 5.95 High composite risk driven by the combination of near-ceiling exposure and blast against minimal default defenses.
Blast Radius 8 / 10 Compromise reaches arbitrary code execution, the full encrypted credential store, filesystem access, and unrestricted network egress.
Attack Surface 7.41 / 10 Multiple surfaces carry confirmed exploitation with unauthenticated and authenticated remote code execution paths documented.
Defense Controls 4 / 15 Input guardrails and output filtering are absent by default; only Execution Isolation and Action Controls carry partial credit.

3 Attack Surface

Attack surfaces are the entry points and interaction patterns through which adversarial input can reach the agent’s reasoning loop and steer its behavior. n8n exposes its reasoning loop to unauthenticated webhooks, untrusted community packages, arbitrary HTTP fetches, and MCP protocol messages on the documented default configuration.

Attack Surface Metrics

Higher scores indicate surfaces where the platform accepts attacker-controlled input with minimal validation and where exploitation has been independently confirmed.

Each row below maps one interaction pattern to a base score reflecting the architectural exposure and a comment citing the anchoring evidence.

Surface Score Comments
User Input 5 / 4 Webhooks and Form nodes accept unauthenticated public HTTP requests feeding directly into expression evaluation; confirmed unauthenticated file access [1] and zero-click RCE [11] anchor the ceiling score.
External Data 3 / 4 HTTP Request node fetches arbitrary URLs with SSRF protection disabled by default; no content validation runs on ingested payloads before expression evaluation [14].
Memory 2 / 4 AI Agent memory nodes persist conversation context across sessions in vector stores and buffer backends without integrity verification or poisoning detection [17].
Reasoning 3 / 4 Model-agnostic LangChain architecture delegates reasoning to interchangeable LLMs through the AI Agent node without output validation or reasoning-chain integrity checks [17].
Planning 3 / 4 Cron and interval triggers enable autonomous background execution of multi-step workflows with sub-workflow delegation through the Workflow Tool node [13].
Tool Execution 5 / 4 Expression sandbox escape to full RCE [2], HTTP Request node prototype pollution to RCE [6], and Python sandbox escape [3] independently confirm the tool execution surface is fully compromisable.
Orchestration 3 / 4 Webhook triggers, cron scheduling, and queue-mode workers run concurrent autonomous workflows; prototype pollution via xml2js in webhook handlers chains to RCE [5].
Inter-Agent 3 / 4 Built-in MCP server exposes workflows to external AI agents with bearer-token authentication but without input validation or rate limiting on the exposed tool surface [17].
Output Processing 4.5 / 4 Binary data served inline without Content-Security-Policy headers enables stored cross-site scripting for session hijacking in higher-privileged user contexts [8].
Configuration 5 / 4 Community nodes install arbitrary npm packages with full runtime privileges; Source Control Pull accepts crafted JSON enabling SQL injection [7]; supply chain attack exfiltrated credentials [12].

The Lethal Trifecta is triggered when an agent processes untrusted content, accesses private data, and communicates externally in the same session — the three conditions that turn an isolated prompt injection into full-chain exfiltration. n8n ingests unauthenticated webhook and Form node submissions, decrypts stored OAuth tokens and API keys at runtime, and sends unrestricted outbound HTTP requests through its default configuration.

Lethal Trifecta · Complete (3 of 3)

n8n exhibits all three of these conditions in its documented default configuration:

  • Untrusted input — Webhooks accept unauthenticated public HTTP requests and Form nodes receive anonymous user-submitted data feeding into expression evaluation [1].
  • Sensitive data — The encrypted credential store holds OAuth tokens, API keys, and database passwords decrypted at runtime; full credential-store decryption was independently confirmed [10].
  • External egress — HTTP Request node sends unrestricted outbound traffic to any destination without default egress controls; supply chain attack confirmed credential exfiltration to external servers [12].

4 Blast Radius

The blast radius is what an attacker who controls the agent can reach — which systems they touch, which credentials they read, and which actions they take without operator approval. A compromised n8n workflow inherits daemon-level code execution, the full encrypted credential store, unrestricted filesystem access, and outbound network egress on the host.

Blast Radius Metrics

Higher scores indicate factors where compromise of a single workflow grants the attacker direct access to the operator's infrastructure and stored secrets.

Each row ties a blast factor to the specific workflow node, credential scope, or system privilege that enables it on the default configuration.

Factor Score Comments
Code execution 4 / 4 Expression sandbox escapes and Execute Command node grant arbitrary system command execution as the n8n daemon process; independently confirmed by security researchers [2] [9].
File system access 3 / 4 Read/Write File nodes and unauthenticated webhook exploit grant access to the host filesystem with the daemon user's permissions; arbitrary file read confirmed [20].
Network access 3 / 4 HTTP Request node makes unrestricted outbound connections with SSRF protection disabled by default; no IP blocklist or egress firewall active until configured [14].
Credential access 4 / 4 Encrypted credential store decrypted at runtime holds OAuth tokens, API keys, and database passwords; expression sandbox escape grants access to the decryption key [10] [21].
Autonomous action 3 / 4 Cron and interval triggers execute workflows autonomously without operator oversight, performing credential-backed API calls and database writes on schedule [13].
Deployment access 2 / 4 Integration nodes can trigger CI/CD pipelines and cloud deployments through stored API credentials, but no dedicated infrastructure-provisioning capability ships by default [13].

5 Defense Controls

Defense controls are what the agent’s own architecture does to detect, contain, and report attacks before they reach the operator’s systems. n8n publishes opt-in execution isolation and RBAC access controls but ships no input guardrails or output filtering active by default on the documented configuration.

Defense Controls Metrics

Higher scores indicate stronger vendor-implemented safeguards active by default; lower scores mean the operator must provision the control externally.

Each component below is scored on what the vendor implements by default versus what requires explicit operator configuration or external tooling.

Component Score Comments
Input Guardrails 0 / 3 No prompt-injection filter, content validation, or ML-based input scanner exists in the default configuration; the AST expression sandbox has been repeatedly bypassed [2] [13].
Execution Isolation 1 / 3 Default internal task runner shares the daemon uid/gid; external mode with sidecar container isolation is documented but requires explicit opt-in configuration [15].
Action Controls 1 / 3 Project-based RBAC restricts workflow creation and activation, but no per-action approval gate exists within a running workflow; Editor role grants full credential access [22].
Output Guardrails 0 / 3 No DLP, output filtering, credential redaction, or exfiltration blocking is documented; binary data served inline without Content-Security-Policy headers [8] [13].
Monitoring 2 / 3 Execution history logged to internal database with SOC 2 Type 2 compliance for cloud; OpenTelemetry integration opt-in; no behavioral anomaly detection by default [16].

6 Hardening Tips

Concrete actions an operator can take to reduce the risks reported above, grouped by which defense control each tip strengthens. Operators should prioritize breaking the exfiltration chain by enabling SSRF protection, switching to external task runners, and deploying egress controls.

Input Guardrails

Input guardrails intercept adversarial content before it reaches the reasoning loop.

Input Guardrails
  • Policy Require webhook authentication tokens on all public-facing trigger endpoints — counters the unauthenticated input surface.
  • Configuration Enable SSRF protection via N8N_RESTRICT_SSRF and configure IP blocklists to block internal network access — counters unrestricted external data fetching.
  • Engineering Deploy a reverse proxy with request-body inspection that validates and sanitizes Form node submissions before expression evaluation — counters the double-evaluation vector.

Execution Isolation

Execution isolation contains what a compromised agent can do on the host.

Execution Isolation
  • Policy Mandate external task runner mode for all production deployments to enforce container-level isolation on code execution — counters the shared-uid internal runner gap.
  • Configuration Disable community node installation via N8N_COMMUNITY_PACKAGES_ENABLED=false to prevent untrusted npm package execution — counters the supply chain attack surface.
  • Engineering Run n8n inside a minimal container with dropped capabilities, read-only filesystem, and non-root user — counters full-host code execution blast.

Action Controls

Action controls govern which tools and actions the agent can invoke autonomously.

Action Controls
  • Policy Restrict Editor role to a minimal set of operators and assign Viewer role for monitoring-only access — counters broad credential access via workflow editing.
  • Configuration Implement network-level egress controls with an allow-list proxy constraining which external endpoints activated workflows can reach — counters unrestricted autonomous action.
  • Engineering Audit credential usage per workflow and revoke unused integration credentials to reduce blast radius of single workflow compromise — counters full credential store exposure.

Output Guardrails

Output guardrails inspect what the agent sends to other systems and users.

Output Guardrails
  • Policy Require Content-Security-Policy headers on all n8n responses via reverse proxy configuration — counters the stored XSS finding from inline binary data.
  • Configuration Route workflow outputs through a logging proxy that redacts credential patterns before delivery to external consumers — counters absent DLP in default outputs.
  • Engineering Restrict webhook response payloads to structured JSON schemas preventing arbitrary data exfiltration through response channels — counters unrestricted output egress.

Monitoring

Monitoring captures what the agent did and surfaces anomalies for review.

Monitoring
  • Policy Require all production instances to export telemetry to a centralized SIEM with alerting on anomalous execution patterns — counters the opt-in monitoring blind spot.
  • Configuration Configure execution-history retention policies and alert on failed executions exceeding baseline rates — counters silent failure for sandbox escape attempts.
  • Engineering Deploy network-level traffic monitoring on the n8n host to detect unexpected outbound connections to unknown endpoints — counters supply chain exfiltration channels.

7 References

The evidence base behind every score and finding in the profile, grouped by source type so the reader can verify any claim. Numbers in brackets throughout the report (e.g. [7, 13]) refer to entries below, listed in citation order.

Selected Vulnerabilities

  1. CVE-2026-21858 Unauthenticated file access via improper webhook request handling allows remote attacker to access server files through form-based workflows. Patched in 1.121.0.
  2. CVE-2026-1470 Expression evaluation sandbox escape enables authenticated users to execute arbitrary code with n8n process privileges leading to full instance compromise. Patched in 1.123.17.
  3. CVE-2026-0863 Python task-executor sandbox escape via string formatting and exception handling allows full instance takeover under Internal execution mode.
  4. CVE-2026-27495 JavaScript Task Runner sandbox escape allows authenticated workflow creators to execute arbitrary code outside the sandbox boundary. Patched in 2.10.1.
  5. CVE-2026-42231 Prototype pollution via xml2js in webhook handler chains with Git node SSH operations to achieve remote code execution. Patched in 1.123.32.
  6. GHSA-c8xv-5998-g76h HTTP Request node pagination prototype pollution to RCE via global prototype pollution by authenticated workflow creators. Patched in 1.123.43.
  7. GHSA-mhrx-qhrj-673w Source Control Pull SQL injection via crafted Data Table JSON column names during administrator pull operations. Patched in 1.123.43.
  8. CVE-2026-33749 Stored XSS via binary data objects served inline without CSP headers allows JavaScript execution in higher-privileged sessions. Patched in 1.123.27.

Selected Research

  1. Achieving RCE on n8n via Sandbox Escape JFrog Security Research demonstrates two sandbox escape techniques in n8n expression evaluation and Python Code node bypassing AST sanitization to achieve full RCE.
  2. n8n Sandbox Escape Exposes Enterprise AI Systems Pillar Security demonstrates full multi-tenant platform compromise on n8n Cloud via expression sandbox escape including decryption of all stored credentials across tenants.
  3. Zero-Click Unauthenticated RCE in n8n Pillar Security demonstrates zero-click unauthenticated remote code execution via Form node double-evaluation bug affecting over 50000 publicly accessible form endpoints.
  4. Supply Chain Attack Targets n8n Ecosystem Endor Labs documents the first known supply chain attack targeting n8n community nodes via malicious npm packages that exfiltrate OAuth tokens and API keys.

Vendor Documentation

  1. Securing n8n Overview Vendor documentation of available security controls including SSL and SSO and 2FA and encryption key rotation and data redaction and node blocking and SSRF protection.
  2. SSRF Protection Documentation Documents opt-in SSRF protection disabled by default with configurable IP blocklists and hostname allowlists for outbound HTTP request validation since version 2.12.0.
  3. Hardening Task Runners Documents external task runner mode with sidecar container isolation and distroless images and read-only filesystem as opt-in hardening for code execution.
  4. n8n Trust Center Vendor trust center with SOC 2 Type 2 certification and pentest reports and CAIQ self-assessments for cloud and self-hosted deployments.
  5. n8n MCP Server Documentation Documents built-in MCP server exposing workflows to external AI agents with per-workflow opt-in activation and bearer token authentication.

Other Sources

  1. Malicious npm Packages Target n8n CSO Online reports on supply chain attack weaponizing n8n community node ecosystem with deceptive npm packages that extract OAuth tokens through workflow execution.
  2. Canadian Cyber Security Advisory AL26-001 Government advisory from Canadian Center for Cyber Security documenting multiple high-severity n8n vulnerabilities including unauthenticated RCE.
  3. GHSA-v4pr-fm98-w9pg Vendor advisory documenting unauthenticated file access vulnerability via improper webhook request handling granting remote attackers server file access.
  4. GHSA-vpcf-gvg4-6qwr Vendor advisory for expression sandbox escape leading to RCE allowing authenticated workflow editors to trigger system command execution on the host.
  5. n8n RBAC Role Types Documents project-based authorization with Admin and Editor and Viewer roles controlling workflow creation and credential access and execution permissions.