How can I host n8n for free?

Sign up at flowengine.cloud and deploy a free n8n instance in under 30 seconds. No credit card required for the free tier.

How do I build an n8n workflow with AI?

Visit flowengine.cloud/chat, describe your automation in plain English, and FlowEngine generates the n8n workflow JSON for you to import or deploy.

What makes FlowEngine different from n8n Cloud?

FlowEngine adds an AI workflow builder, a free workflow analyzer, and 100+ bundled LLM models without per-model API keys, on top of standard managed n8n hosting. Pricing starts at $7 per month versus $20 for n8n Cloud, and a free tier is available.

What LLM models are available inside FlowEngine?

Over 100 models including GPT-4o, Claude 3.5 Sonnet, Claude 3 Opus, Gemini 1.5 Pro, Llama 3 70B, and Mistral Large. Accessible inside any n8n workflow without managing separate API keys.

Does FlowEngine support custom domains?

Yes. All paid plans include custom domain support with automatic SSL provisioning via Let's Encrypt.

Is the n8n workflow analyzer really free?

Yes. flowengine.cloud/n8n-workflow-analyzer is completely free, requires no signup, and runs in-browser so workflow contents stay private.

Can I export my workflows out of FlowEngine?

Yes. Workflows are stored in standard n8n JSON format and can be exported from the n8n UI at any time. There is no vendor lock-in beyond the hosting layer.

Critical n8n Security Vulnerabilities: What Automation Agencies Need to Know

What Happened

On March 31st, 2026, security researchers disclosed four critical vulnerabilities in n8n, the workflow automation platform. Two of them (CVE-2026-27577 and CVE-2026-27493) scored above 9.0 on the CVSS scale. The worst part? CVE-2026-27493 requires zero authentication. An attacker could exploit a public "Contact Us" form to execute arbitrary shell commands on your n8n server.

If you're running n8n for client work, this matters. A lot.

The Technical Details (Briefly)

CVE-2026-27577 (CVSS 9.4): Expression sandbox escape. An authenticated user with workflow permissions could craft expressions that execute system commands on the host running n8n.

CVE-2026-27493 (CVSS 9.5): Unauthenticated expression evaluation via Form nodes. Public form endpoints don't require authentication. Attackers could inject malicious payloads through form fields to execute commands. When chained with the sandbox escape, this becomes remote code execution.

Two additional critical flaws (CVE-2026-27495 and CVE-2026-27497) involve the JavaScript Task Runner sandbox and the Merge node's SQL query mode. Both allow authenticated users to execute arbitrary code.

Patches are available: versions 2.10.1, 2.9.3, and 1.123.22 address all four vulnerabilities. If you're running a self-hosted n8n instance, you need to update now.

What This Means For Agencies

If you're selling automation services, your clients trust you with their data. A compromised n8n instance can expose credentials for every connected service: AWS keys, database passwords, OAuth tokens, API keys. The researchers noted that attackers could read the N8N_ENCRYPTION_KEY environment variable and decrypt every credential stored in n8n's database.

That's not just your problem. That's your client's problem, and it becomes a liability issue fast.

The Self-Hosting Trade-Off

Self-hosting n8n gives you control, flexibility, and the ability to keep data on-premises. But it also makes you responsible for security patching, server hardening, network access controls, and monitoring. If you're running n8n for multiple clients on a single instance, the blast radius of a breach grows.

You need a plan for:

Immediate patching when critical vulnerabilities drop (like today)
Restricting workflow creation and editing to trusted users
Isolating n8n deployments with limited OS privileges and network access
Monitoring for unusual activity and unauthorized expression evaluations

If that sounds like a second job, it kind of is.

Managed Hosting: The Boring Solution That Works

One way to handle this: let someone else deal with it. FlowEngine's managed n8n hosting includes automatic security updates, isolated environments per client, and infrastructure monitoring. When a CVE like this drops, patches get applied without you needing to SSH into a server at 9 PM.

You still get full control over workflows and integrations. You just don't have to babysit the server.

If You're Staying Self-Hosted

If you prefer to run your own infrastructure, here's what n8n recommends as immediate mitigations:

Update to patched versions: 2.10.1, 2.9.3, or 1.123.22
Limit workflow creation and editing permissions to fully trusted users
Deploy n8n in a hardened environment with restricted OS privileges
If you can't patch immediately: disable Form and Form Trigger nodes by adding n8n-nodes-base.form and n8n-nodes-base.formTrigger to the NODES_EXCLUDE environment variable
For CVE-2026-27495, use external runner mode (N8N_RUNNERS_MODE=external) to limit impact
For CVE-2026-27497, disable the Merge node by adding n8n-nodes-base.merge to NODES_EXCLUDE

These are workarounds, not fixes. Update as soon as possible.

The Bigger Picture

This isn't the first time n8n has had security issues, and it won't be the last. That's not a criticism of n8n specifically; any software with this much surface area will have vulnerabilities. The question is whether you have the infrastructure and processes to respond quickly when they're disclosed.

For freelancers and small agencies, security patching often falls through the cracks. You're busy building client workflows, not monitoring CVE feeds. Managed infrastructure takes that off your plate.

Takeaway

If you're running n8n in production, update now. If you're deciding between self-hosted and managed, consider how much time you want to spend on infrastructure versus client work. And if you're selling automation services to clients, make sure you have a plan for when (not if) the next critical vulnerability drops.

Security isn't exciting, but it's the difference between a sustainable automation business and a liability nightmare.