Security Advisory: Security Vulnerability in n8n Versions 1.65-1.120.4
The security advisory for n8n versions 1.65 through 1.120.4 has been issued, detailing a critical vulnerability that could be exploited by an unauthenticated attacker under certain conditions. The issue has been patched in n8n version 1.121.0, released to the entire customer base on November 18, 2025. Cloud customers have already received automatic upgrades and are no longer affected by this vulnerability. This advisory is a clarion call for every organization that runs n8n in a self-hosted environment to act now to protect data, maintain compliance, and preserve business continuity.
What happened
In November 2025, the n8n team identified a vulnerability within a subset of form-based workflows. Specifically, a workflow that includes an active Form Submission trigger with a file element and a Form Ending node that returns a binary file could, under highly specific conditions, be exploited by an unauthenticated caller to gain read access to the underlying file system. The flaw stemmed from insufficient input validation and overly permissive handling of binary data within a constrained workflow context. In practical terms, this means an attacker with access to trigger points could access files stored within the n8n instance, potentially exposing sensitive information, credentials, or business data.
Affected versions and scope
The vulnerability impacts self-hosted installations running n8n versions 1.65-1.120.4. If you are on 2.x or cloud deployments, you are not affected; the 2.x line contains the fixes, and cloud operators have already applied them. If your deployment remains on the affected 1.x series, you must upgrade to 1.121.0 or later immediately to mitigate the risk.
Impact on day-to-day operations for No-Code business owners
The vulnerability creates several operational considerations for business owners using n8n in production workflows. The most immediate concern is risk exposure: unauthorized access to the file system can enable data exfiltration, internal reconnaissance, or disruption of automated processes. For a business that runs customer workflows, financial processing, or regulated data, this risk translates into potential compliance violations, customer trust erosion, and financial exposure.
- The vulnerability highlights the importance of strict secrets management, least-privilege access, and segmentation of workflows that handle sensitive data. If an attacker can trigger a workflow with a file payload, that payload could be used to access, reveal, or exfiltrate binary data stored in the instance. This underscores the necessity of configuring robust access controls, rotating secrets, and restricting public exposure of internal endpoints.
- The recommended remediation is straightforward—update to 1.121.0 or a later 2.x version. Cloud users are already protected, but self-hosted users need to act. This urgency reshapes day-to-day IT routines: maintenance windows, testing cycles, and downtime planning must align with a quick upgrade to prevent exploitation windows.
- After upgrading, verify that critical flows continue to function as expected. The vulnerability was in form-based workflows; hence, flows that rely on file uploads via forms should be prioritized for validation after patching. This may involve re-running payment, order processing, or document ingestion workflows to confirm there are no regressions in permission handling or file I/O logic.
- The patch elevates the need for monitoring per-execution logs, access patterns, and file-system activity. Teams should consider adding alerting around unusual file access during form submissions and enable additional auditing to detect potential abuse or misconfigurations.
Remediation and upgrade guidance
Immediate action is recommended for self-hosted users still on 1.65-1.120.4. The official fix is included in version 1.121.0 (released November 18, 2025). If you are on any 2.x version, you are already protected. Cloud deployments have been upgraded automatically and require no action.
- : Confirm the n8n version in use. If you are on 1.65-1.120.4, you must upgrade.
- : Upgrade to 1.121.0 or newer. For self-hosted deployments, this typically means pulling the 1.121.0 image and redeploying the instance. If you are on 2.x, ensure you are on the latest 2.x release.
- : Run a quick test on forms that accept file uploads and on workflows that return binary data. Validate that there are no unexpected permissions changes or read-access anomalies. Review access controls and ensure secret management remains intact post-upgrade.
- : No action needed. The cloud service has been upgraded and is secure.
- : If you detect any suspicious activity after upgrade, follow your standard security incident response plan. This includes containing the affected workflow, rotating credentials, and notifying stakeholders.
Guiding principles for No-Code teams after a security incident
Security incidents in No-Code automation demand a careful blend of technical remediation and business continuity planning. The following principles help translate a vulnerability fix into actionable operations for non-technical stakeholders:
- Rapid containment: Immediately isolate affected workflows to prevent a broader data exposure while patching is underway.
- Clear communication: Notify internal teams and, if applicable, customers about the vulnerability, mitigation steps, and the upgrade timeline.
- Root-cause tracking: Identify which workflows can trigger binary data ingestion and review their security posture (permissions, credentials, and access controls) to avoid similar issues in the future.
- Documentation and governance: Update runbooks, security policies, and change-management procedures to include vulnerability remediation steps and upgrade verification.
- Continuous hardening: After patching, implement additional hardening such as restricted public endpoints, network segmentation, and enhanced logging for form-based triggers.
Practical checklist for immediate action
- Identify all self-hosted n8n instances in your organization and confirm their versions.
- Upgrade each instance to 1.121.0 or to the latest 2.x release where available.
- Run the recommended upgrade verification steps to ensure the vulnerability is mitigated and that no new issues are introduced.
- Review access controls and ensure least-privilege policies are in place for form triggers and file handling.
- Implement or strengthen monitoring around file-based triggers in workflows that accept file uploads.
- Document the upgrade in the security incident log and adjust your incident response playbook to reflect this event.
- Communicate to stakeholders about the patch and the steps customers may need to take if applicable.
What this means for the No-Code ecosystem
For the No-Code ecosystem, this advisory underscores the importance of security-first design in low-code platforms. While cloud deployments mitigate risk through automated patching, many organizations rely on self-hosted instances. The vulnerability highlights a broader pattern: as automation becomes more embedded in business processes, the risk surface increases—the attack surface expands with every new form-triggered workflow and with every uploaded file. Organizations should respond with a combination of rapid patching, governance hardening, and a culture of security-minded automation design. This also reinforces the case for robust backup strategies, versioned deployments, and tested upgrade paths so that patching does not become a production blocker.
Closing note
Security vulnerabilities are a reality of modern software, and the No-Code ecosystem is not immune. The key is rapid, disciplined response: apply the fix, validate that critical workflows continue to operate as expected, and implement additional safeguards to reduce the risk of future exposure. The n8n team has provided a clear upgrade path and the cloud deployments have already been updated, allowing self-hosted users to act quickly to protect their automation assets and customer data.
