N8n self-hosted community nodes disable guidance
Advisory/Mitigation
Summary
Hide ▲
Show ▼
n8n warned self-hosted operators to disable community nodes because malicious npm packages can run code with the same access as n8n and steal decrypted credentials. The guidance says to set N8N_COMMUNITY_PACKAGES_ENABLED=false to reduce exposure to the risky integration path. That matters because community nodes can read environment variables, access the file system, and exfiltrate API keys and OAuth tokens during workflow execution.
Related Happenings
N8n security fixes after Pillar findings
Security Patch Release
First: 12.03.2026 17:28
Last: 12.03.2026 17:28
Sources 1
About this happening:
**n8n** released an **initial patch update in December 2025** and **nine security fixes in early 2026** to address reported flaws in the workflow automation platform. The update c...
N8n security fixes after Pillar findings
Security Patch ReleaseAbout this happening: **n8n** released an **initial patch update in December 2025** and **nine security fixes in early 2026** to address reported flaws in the workflow automation platform. The update c...
N8n sandbox escape flaws (multiple vulnerabilities)
Vulnerability
First: 04.02.2026 15:00
Last: 04.02.2026 15:00
Sources 1
About this happening:
Two **maximum-severity sandbox-escape flaws** in **n8n** expose **self-hosted and cloud instances** to **complete server takeover** and **credential theft**. An **authenticated us...
N8n sandbox escape flaws (multiple vulnerabilities)
VulnerabilityAbout this happening: Two **maximum-severity sandbox-escape flaws** in **n8n** expose **self-hosted and cloud instances** to **complete server takeover** and **credential theft**. An **authenticated us...
Malicious npm packages masquerading as n8n integrations to steal OAuth credentials
Malware Activity
First: 12.01.2026 18:39
Last: 12.01.2026 18:39
Sources 1
How related:
Threat actors have been observed uploading a set of eight packages on the npm registry that masqueraded as integrations targeting the n8n workflow automation platform to steal developers' OAuth credentials.
About this happening:
A set of **eight npm packages** impersonating **n8n integrations** is stealing **developers' OAuth credentials**, putting linked services and workflow access at risk. One package...
Malicious npm packages masquerading as n8n integrations to steal OAuth credentials
Malware ActivityHow related: Threat actors have been observed uploading a set of eight packages on the npm registry that masqueraded as integrations targeting the n8n workflow automation platform to steal developers' OAuth credentials.
About this happening: A set of **eight npm packages** impersonating **n8n integrations** is stealing **developers' OAuth credentials**, putting linked services and workflow access at risk. One package...
JsPDF team security patch release for CVE-2025-68428
Security Patch Release
First: 07.01.2026 23:46
Last: 07.01.2026 23:46
Sources 1
About this happening:
**jsPDF** fixed **CVE-2025-68428** in **version 4.0.0** for its **Node.js builds**, reducing the risk that generated PDFs could expose **local filesystem** content. The release **...
JsPDF team security patch release for CVE-2025-68428
Security Patch ReleaseAbout this happening: **jsPDF** fixed **CVE-2025-68428** in **version 4.0.0** for its **Node.js builds**, reducing the risk that generated PDFs could expose **local filesystem** content. The release **...
N8n form-based workflow file-read flaw (CVE-2026-21858)
Vulnerability
First: 07.01.2026 15:48
Last: 07.01.2026 15:48
Sources 1
About this happening:
**n8n** disclosed **CVE-2026-21858** (**CVSS 10.0**), a **maximum-severity** **Content-Type confusion** flaw in **form-based workflows** that can let an **unauthenticated remote a...
N8n form-based workflow file-read flaw (CVE-2026-21858)
VulnerabilityAbout this happening: **n8n** disclosed **CVE-2026-21858** (**CVSS 10.0**), a **maximum-severity** **Content-Type confusion** flaw in **form-based workflows** that can let an **unauthenticated remote a...
Timeline
-
12.01.2026 18:39 2 articles · 4mo ago
n8n warns self-hosted operators to disable community nodes
Mitigation Patch Updaten8n warned that community nodes from npm can execute malicious actions with the same level of access as n8n itself, including reading environment variables, accessing the file system, making outbound network requests, and receiving decrypted API keys and OAuth tokens during workflow execution. On self-hosted n8n instances, the recommended mitigation is to disable community nodes by setting N8N_COMMUNITY_PACKAGES_ENABLED to false and to prefer official integrations.
Show sources
- n8n Supply Chain Attack Abuses Community Nodes to Steal OAuth Tokens — thehackernews.com — 12.01.2026 18:39
- n8n Supply Chain Attack Abuses Community Nodes to Steal OAuth Tokens — thehackernews.com — 12.01.2026 18:39