n8n Security Vulnerabilities 2026: Why Unpatched Instances Become an Easy Target
Active n8n CVEs and the CISA Warning 2026 affect every self-hosted instance. What is affected and how to patch now.
SSO, audit logs, data residency: at which n8n plan security begins, and when self-hosting is cheaper than Business or Enterprise.

When choosing an n8n plan for your company, you quickly run into an unpleasant gap: the inexpensive entry-level plan offers neither Single Sign-on nor audit logs, yet that's exactly what many IT managers in mid-market companies see as the real purchase decision. User reviews on G2 and Capterra regularly mention this missing security parity between Cloud and Enterprise variants as the biggest criticism of n8n.
This article shows based on the current n8n pricing page and the n8n security documentation, where the boundary between Cloud entry-level, Business plan, and Enterprise license runs exactly, and when self-hosting with full data sovereignty becomes the more economically sensible alternative.
n8n sells four pricing tiers: Starter for 20 euros and Pro for 50 euros monthly with annual billing, both without any enterprise security features, while the Business plan from 667 euros per month unlocks SSO, SAML, and LDAP. Starter covers 2,500 workflow executions per month, Pro 10,000, Business 40,000. n8n negotiates Enterprise individually, usually only from significantly higher execution volumes or additional security requirements.
Important for budgeting: Business can be operated both in n8n Cloud and self-hosted, whereas Starter and Pro are exclusively Cloud subscriptions.
Audit logging, log streaming into a SIEM system, integration of external secret managers like HashiCorp Vault or Azure Key Vault, and instance-wide enforced two-factor authentication remain exclusively reserved for the Enterprise tier. The Business plan does include SSO, but none of these four features. n8n retains audit log history for at least twelve months, with the last three months immediately available for analysis.
For SMBs with customers from regulated industries such as healthcare or the public sector, that's a hard boundary: A complete audit trail for data access exists contractually only with Enterprise, not already with the significantly cheaper Business plan.
n8n Cloud stores customer data, according to its own information, exclusively on Azure servers in Frankfurt within the EU and encrypts it there with AES-256 according to FIPS-140-2, as the n8n security page confirms. The connection itself runs via TLS certificates from Cloudflare. n8n aligns its security program to SOC 2 and publishes a SOC 3 report.
Self-hosting shifts data residency completely into your own hands: location, operation, and encryption at rest then lie with the company itself, for example on a server in your own data center in Germany. That's opportunity and obligation at the same time: no dependence on a single cloud location, but also no automatic encryption without your own effort.
The security boundary at n8n does not run between Cloud and self-hosting, but between the license tiers Starter/Pro, Business, and Enterprise, as the following overview by criteria shows:
From approximately 20,000 workflow executions per month, the cost calculation tips in favor of self-hosting according to several independent n8n cost analyses, because the usage-based cloud fee disappears and only server costs and operational expenses remain.
In NordFlux consulting practice around n8n this shows up regularly with craft businesses and municipal facilities: as soon as multiple departments use automated workflows in parallel, the execution volume quickly exceeds the cheaper cloud contingents. A self-hosted n8n instance with external secrets management and its own reverse proxy then brings SSO and data sovereignty without paying the full Enterprise license fee.
Anyone who has neither time nor staff for ongoing operations still does better to stay with Cloud or Enterprise support. Anyone who wants to additionally tie the decision to governance and internal rollout should clarify that within a AI consulting before the plan is finalized.
From the Business plan for 667 euros per month with annual billing, available both in Cloud and self-hosted.
No. According to n8n, audit logging, log streaming, and instance-wide enforced 2FA are exclusively reserved for the Enterprise license; the Business plan only includes SSO.
On Azure servers in Frankfurt within the EU, encrypted with AES-256. With self-hosting, the company itself determines the server location.
Not automatically, but it provides full control over server location and encryption, which greatly facilitates your own evidence documentation.
From experience, around 20,000 workflow executions per month, when the usage-based cloud fee exceeds the operating costs of your own instance.
NordFlux builds digital employees for organisations: automations and AI agents that take over repetitive work. You stay in control.
Active n8n CVEs and the CISA Warning 2026 affect every self-hosted instance. What is affected and how to patch now.
n8n can run in a GDPR-compliant way, but it is not automatically compliant. What sets cloud and self-hosting apart, and where workflows leak data.
In a free initial analysis we discuss your case directly. No strings attached.