It's not that the tool itself is inherently insecure - it's more about how users are encouraged to use it.
Nearly all workflows built using N8n that I've seen face some kind of prompt injection vulnerability. This is primarily because, in most cases, you configure the LLM by directly inserting external data into the system prompt. As many of you know, the system prompt has the highest execution priority, meaning instructions placed there can heavily influence how the LLM interacts with its tools.
While this isn't exploitable in every situation, it can often be exploited rather generically: by embedding prompts in your social media bio, website, or other locations from where these workflows pull data. Recently, I've managed to use this technique to prompt a random LinkedIn bot to email me back a list of their functions. That's not overly exciting in itself, but it clearly demonstrates the potential for malicious use.
This issue is not specific to N8n. Other tools do it too. But it seems to me there is little to no awareness that this is in fact a problem.
There is a better, safer way to incorporate external data into LLM prompts without jumping through hoops, but unfortunately, that's not how things are currently done with N8n, at least as of today.
As somebody working in AI Security: There isn't one currently. If you're feeding untrusted inputs into an LLM (today), you have to treat the entire prompt as radioactive.
That means:
- Limit the potential for a malicious prompt to do anything bad
- Scope permissions to the lowest level you can
There are some other mitigations (moderation APIs using a 2nd LLM), but in general they're not 100% solutions. You really need to design your systems around accepting this limitation today.
A- Limit the capabilities of users.
B- Help users limit the capabilities that they to their sub-users, whether they be per-program capabilities or per dependency capabilities.
I think B is the path forward, if you give a user access to emails and files and ChatGPT, then he can give ChatGPT access to emails and files and do damage that way.
With B you can give the user access to ChatGPT and email and a file system, but help him configure fine grained permissions for their experiments.
I prefer to have my flow hard-coded, with specific data input/output between steps, and have the calls be done through n8n connections instead of letting the AI call the tools with arbitrary data.
n8n has been good but not great in our organization (and we pronounce it "Nathan", to answer someone else's question). It's effectively a self-hosted version of Zapier and has quite a few built-in integrations. It's a bit more annoying to use than Zapier (but the price is right), and the AI features are currently about like the AI features of every other product: basically sufficient to tell investors "we do AI!" but not anything you're going to actually use.
The one frustration we have with n8n is trying to create custom "apps" (triggers or destinations for workflows). It's clear that the custom apps are an afterthought and have gone through multiple iterations of "here's the best way to do it", and you end up having to just keep trying until you get it to do what you want. Annoyingly, there's no way to manage custom apps in the interface itself - you have to create a Javascript module and then inject it into a .npm directory somewhere inside of the applications Docker container, which just doesn't feel very "professional".
If n8n would add some kind of admin interface for managing custom apps - especially just supporting basic use cases like specifying a REST API as a reusable custom app - it would be great, but still has a ways to go in terms of features (like better user permissions management as part of the lackluster SSO) before it's truly going to be an enterprise grade solution.
That said, we tried Windmill first and while it was cool for the devs who were able to see the vision, the non-technical users hated it and have heavily praised n8n once we created a custom app to let them integrate with our system.
Overall I would say n8n is worth trying if you need something like this, but expect to do some tinkering if you go beyond what it does out of the box.
> That said, we tried Windmill first and while it was cool for the devs who were able to see the vision, the non-technical users hated it
Founder of Windmill here. This is not too surprising although we are working on it by leveraging AI and just better DX/design. Pleasing devs in the most demanding orgs and the ever-changing expectations is challenging by itself. Pleasing both devs AND non-technical user is a monumental task that we are now giving more attention to by focusing on 2 aspects:
- A better DX/UX that does not sacrifice power-user capabilities but has a less step learning-curve and more intuitiveness to it. That is mostly about good design and hard work. We are taking inspiration from the best and on the intuitiveness, we've learned a lot from n8n and other leaders in the space.
- leveraging AI capabilities in a state-of-the-art way to have the best models generate the code for non-technical users. That is basically just adopting the best practices inspired by cursor such as great auto-completion, great inline code-gen, excellent semantic search.
For doing streaming in Node-RED, I created a library[1] - it's been through exacatly one example flow[2] - for that it worked well. I've not had a use case for it, it was just an idea of mine to implement an ETL pipeline using NodeRED.
The library just uses the streaming API[3] of NodeJS - effectively converting lines of CSV (for example) into individual messages that flow through NodeRED.
NodeRED isn't great for handling large messages but perfect for directing many small messages.
Have not used Node Red in production and only played with it briefly, but n8n is more of a Zapier replacement whereas Node Red I believe is more of an IoT automation platform.
n8n is made so that you can set it up and give your staff access and they can manage their own workflows (like "when a customer opens a support ticket, update their Salesforce record to increment the number of tickets they have opened").
It's clearly aimed at non technical users being able to develop their own solutions to problems (for better or for worse), more so than Windmill which is made for developers to solve their own problems or develop solutions that non-technical people can use. Node Red if I remember correctly is more heavily weighted toward real time events for dev (especially hardware/IoT dev) use than "let the support team manage their own workflows for routing customer complaints"
I've used Node Red and n8n both on my homelab and deleted Node Red after awhile. The UI, workflow and 3rd party service support is simply just better on n8n. I could see Node Red having its advantages if you're used to writing code all day (I'm not).
Curious if you tried us, Activepieces. We have different ways of sharing "pieces" including merging them to our repo, uploading them to an npm registry or uploading them as private pieces in the platform admin. We're also very much loved by both devs and non-technical users. So I'm wondering what you'd think of it.
A while back I used it to glue together a bunch of APIs to make a geofence on top of a WiFi location service my company offers. Super easy to prototype external computation without something like severless/lambda (which would be the likely path for production)
Thanks for sharing, Chris! In case it's helpful to other readers, the linked article outlines combining several tools together, including N8n and how it fit into the picture. Decent article, although a bit shallow on details.
We (at https://vlm.run) use n8n internally for a lot of automations and it’s been great (Reddit/HN scraping), slack automations, cron jobs for sales etc.
We also made a custom node for popular document/image/video ETL jobs like document-to-markdown, audio/video transcriptions with VLMs (Vision Language Models).
Tried it, but in an age where AI does a lot of the work in coding, I think just using code to automate things is better than using n8n, the visual aspect though of the AI agents nodes, chains and workflows is the one thing that is interesting in n8n
Having some experience with both, I think they are quite different. N8n looks quite polished and seems primarily concerned about connecting pre-made blocks. There are custom code blocks (JS and Python only, with limited ability to import libraries), but it’s not something you’d use by default. I thinks it great for less-technical users when compared to windmill.
Windmill OTOH supports a bunch of programming languages for steps (Go, Rust, Python, TS, etc.) and seems to have a much more “code first” approach. Reusable blocks are more like code templates compared to n8n.
Hard to say which is better. I really like the ability in windmill to just write code for each step and it comes across more powerful, but it feels less polished and intuitive when compared to n8n.
I'm not ashamed to admit than n8n feels more polished. There are a few reasons:
- Our team was and is still much smaller. We were 5 for the first 2 years, we are now 10 (year 3), and are continuing to hire to follow our growth.
- They have been around for longer and mature for longer, more time to iterate. We have reached some level of maturity recently and are now spending more iterations on polishing rather than new features.
- Their surface area is smaller, windmill does A LOT and expose more for the better or worse.
n8n has done a lot of things really well and although we have a different audience, there is a lot to learn from what they did very well and we have the upmost respect for them. We have some overlap, but I think ultimately we strive in different kind of orgs and will cohabit rather than compete.
Windmill is also not fully open source; there are major sections of it powering central features that are not released as free software.
Also, they require a CLA with copyright assignment so they can reuse your contributions in nonfree software. It’s always shady when companies do this.
The open source parts of Windmill are partially Apache and partially AGPL; there are some of us who additionally regard the AGPL as nonfree (because it’s really a EULA).
> Also, they require a CLA with copyright assignment so they can reuse your contributions in nonfree software. It’s always shady when companies do this.
They sell a version of the software, of course they'd have a CLA. It's not shady, it's a prerequisite to be able to sell - because even if you assume no contributor will decide to retract their contribution later on, many of your customers will ask for guarantees that you fully own, control and can sell the code you're selling them
Just to clarify.
The reason why you aren't saying N8n is open source because of its license right? I haven't read its license but it does seem to me to have quite some restrictions.
Typically when people say open source they mean that the source code can be used , modified and made public for any purpose. There is an organization called OSI that maintains a ratified list of licenses that are compatible with the ideals of the open source movement. Although the OSI has been compromised by the big cloud providers and no longer serves the public interest, the list can still be relied on as a good sign that the license you're looking at is open source.
I can highly recommend n8n. I prefer it over Make.com, Pipedream, Zapier, etc. for automations and AI agent tasks. Basically, anything you want to automate but don't want to spin up a custom code server each time.
The main reasons I switched to n8n are it's open source, meaning I can run it locally without limits, and it supports code nodes in javascript and python. Make.com used to drive me bonkers when it took 10+ minutes to create all the nodes in the UI to handle loops, errors, etc. when I could normally just write a few lines of code to handle it.
Only downside to n8n vs other platforms is it's polling based vs instant trigger unlike Zapier's and Make.com's connectors. So if you're processing email, Google Sheets data, etc. you'll have more latency with n8n unless you add some custom middleware to handle instant triggers. But polling is actually a benefit in my case since I mostly run n8n locally through docker. Whenever I spin it up, it auto catches up on new data it hasn't yet processed.
n8n's AI nodes are first rate and more intuitive IMO than others. You can easily extend it with custom LangChain nodes as well if you're self hosting.
If you want to play around with n8n locally, this tool makes it easy: https://github.com/LLemonStack/llemonstack/ I created it to make it easier for me to spin up and down project stacks on the same machine.
I recently started using it, and as an experienced developer, I love it.
It's really easy to automate tasks and schedule things.
For example, I connected it to my UXWizz MySQL database, asked the AI in UXWizz to give me a query with the funnel conversions for today (visits/pricing/checkout/sales) compared to last week, copied that into n8n and made it send me an emoji-formatted daily Telegram message.
I am now using it to implement an AI chat-bot/support ticket responder, and I'm planning to migrate a Node.js auto-poster to it, so I can easily change the schedule/model/content of the post without having to edit any code.
I like that it has good documentation for integrations. For example, I was testing Google Ads, and I want to do conversion tracking without adding the Google JS to my page. Again, I used an MySQL connection to my UXWizz analytics dashboard to select the gclid for all visits that lead to a conversion event, then with n8n I upload those daily to a Google Sheet, which is then used by Google Ads to properly track conversions. The Google Sheet integration is not trivial (you need Google Cloud account, create an app, create oauth login, etc.), but the n8n docs were clear enough to follow and up-to-date enough to work.
Can I ask you why so many things with N8N is connected over Telegram it seems versus for example slack? Not a user of Telegram so I honestly am curious about this choice
Before it was moved to GitHub Actions, we had a multiple-step deployment flow created in Node-Red, I believe you can achieve more or less the same thing with n8n. Never tried tho, it wasn't necessary anyway. If I really really simplify it's like, checkout, run some tests, deploy to a preview env, run some more tests, report back to slack.
On a personal level, I use it to automate booking a tennis court. It logs in, selects the date and time (pre-defined), adds a partner/opponent, books the court, pings a service that generates a calendar entry. If I decide to cancel the booking, it again pings the service and removes the calendar entry. I needed to bend some "nodes" to do what I need within the same workflow (such as create event runs once a day but update event runs in every 10 minutes).
In the past, I also used it to detect service interruptions with my ISP. I don't use that ISP anymore, so this workflow is redundant, but it was checking an API and if there's an entry, sending it as a push notification (via ntfy) to my phone.
I got to know n8n from HN comments a couple year ago. I tried it and kinda liked it, it was really a tool for making quick PoC, trying remote APIs and building operations.
I was able to hack a MVP of a new product in just one or two days.
Now, the company uses n8n for a lot of stuff, out ops team and finance team is expected to automatize manual work using n8n. From billing to financial conciliation to customer support. Also in product/dev team we implement some parts as flows, for things we expect to change a lot of features that are more internal.
But n8n requires a lot of time and care. It's not intended for high loads, they make a lot of breaking changes (more like new bugs, but is not fun).
We do all this self hosting in a k8s cluster.
In general I like it, but I think is still intended for a personal o early adopter.
Funny, one of my biz co-founder, learned and created a new biz just teaching it.
It is great to make chatbots in my opinion. Personal automations, AI, etc. I have friends who use it to prototype products and it works using n8n as backend for users. I mostly don't do this, only prototypes that only I can access. It has pros and cons vs coding, and you probably have to make something using n8n to see if it works for you.
It depends on what you need. For use cases like "export data from HubSpot, transform it (join by id, normalize), and load it into Google Spreadsheets," it works great. I've tested it for marketing automation, but it requires skill to configure properly.
Readit News
It's not that the tool itself is inherently insecure - it's more about how users are encouraged to use it.
Nearly all workflows built using N8n that I've seen face some kind of prompt injection vulnerability. This is primarily because, in most cases, you configure the LLM by directly inserting external data into the system prompt. As many of you know, the system prompt has the highest execution priority, meaning instructions placed there can heavily influence how the LLM interacts with its tools.
While this isn't exploitable in every situation, it can often be exploited rather generically: by embedding prompts in your social media bio, website, or other locations from where these workflows pull data. Recently, I've managed to use this technique to prompt a random LinkedIn bot to email me back a list of their functions. That's not overly exciting in itself, but it clearly demonstrates the potential for malicious use.
This issue is not specific to N8n. Other tools do it too. But it seems to me there is little to no awareness that this is in fact a problem.
There is a better, safer way to incorporate external data into LLM prompts without jumping through hoops, but unfortunately, that's not how things are currently done with N8n, at least as of today.
That means: - Limit the potential for a malicious prompt to do anything bad - Scope permissions to the lowest level you can
There are some other mitigations (moderation APIs using a 2nd LLM), but in general they're not 100% solutions. You really need to design your systems around accepting this limitation today.
More info on this wiki here: https://github.com/tldrsec/prompt-injection-defenses
A- Limit the capabilities of users. B- Help users limit the capabilities that they to their sub-users, whether they be per-program capabilities or per dependency capabilities.
I think B is the path forward, if you give a user access to emails and files and ChatGPT, then he can give ChatGPT access to emails and files and do damage that way.
With B you can give the user access to ChatGPT and email and a file system, but help him configure fine grained permissions for their experiments.
I prefer to have my flow hard-coded, with specific data input/output between steps, and have the calls be done through n8n connections instead of letting the AI call the tools with arbitrary data.
The one frustration we have with n8n is trying to create custom "apps" (triggers or destinations for workflows). It's clear that the custom apps are an afterthought and have gone through multiple iterations of "here's the best way to do it", and you end up having to just keep trying until you get it to do what you want. Annoyingly, there's no way to manage custom apps in the interface itself - you have to create a Javascript module and then inject it into a .npm directory somewhere inside of the applications Docker container, which just doesn't feel very "professional".
If n8n would add some kind of admin interface for managing custom apps - especially just supporting basic use cases like specifying a REST API as a reusable custom app - it would be great, but still has a ways to go in terms of features (like better user permissions management as part of the lackluster SSO) before it's truly going to be an enterprise grade solution.
That said, we tried Windmill first and while it was cool for the devs who were able to see the vision, the non-technical users hated it and have heavily praised n8n once we created a custom app to let them integrate with our system.
Overall I would say n8n is worth trying if you need something like this, but expect to do some tinkering if you go beyond what it does out of the box.
Founder of Windmill here. This is not too surprising although we are working on it by leveraging AI and just better DX/design. Pleasing devs in the most demanding orgs and the ever-changing expectations is challenging by itself. Pleasing both devs AND non-technical user is a monumental task that we are now giving more attention to by focusing on 2 aspects:
- A better DX/UX that does not sacrifice power-user capabilities but has a less step learning-curve and more intuitiveness to it. That is mostly about good design and hard work. We are taking inspiration from the best and on the intuitiveness, we've learned a lot from n8n and other leaders in the space.
- leveraging AI capabilities in a state-of-the-art way to have the best models generate the code for non-technical users. That is basically just adopting the best practices inspired by cursor such as great auto-completion, great inline code-gen, excellent semantic search.
We can't even have the "be notified on workflow error" feature without being a paid customer, at this stage, it's just a joke to call it open-source
I've just poked at them, but my impression was that Node Red much more capable.
IIRC one of my issues with n8n was the lack of streaming ability, which kills it for large datasets.
The library just uses the streaming API[3] of NodeJS - effectively converting lines of CSV (for example) into individual messages that flow through NodeRED.
NodeRED isn't great for handling large messages but perfect for directing many small messages.
[1] https://flows.nodered.org/node/@gregoriusrippenstein/node-re...
[2] https://flowhub.org/f/c520d9da20ad7f1d
[3] https://nodejs.org/dist/latest-v18.x/docs/api/stream.html
n8n is made so that you can set it up and give your staff access and they can manage their own workflows (like "when a customer opens a support ticket, update their Salesforce record to increment the number of tickets they have opened").
It's clearly aimed at non technical users being able to develop their own solutions to problems (for better or for worse), more so than Windmill which is made for developers to solve their own problems or develop solutions that non-technical people can use. Node Red if I remember correctly is more heavily weighted toward real time events for dev (especially hardware/IoT dev) use than "let the support team manage their own workflows for routing customer complaints"
You can go a _long_ way with the split/join nodes and a little ingenuity to work around any issues with streaming.
Custom apps aside, how do Zapier and n8n compare in your experience?
And their Launch HN: https://news.ycombinator.com/item?id=34723989
Pros:
- Good observability. It’s handy that they track all executions and let you see when workflows run.
- Usable for non-technical people.
- They’ve had all the integrations we needed.
Cons:
- Implementing parallel execution for async parts of the workflow is complicated and flaky.
- Pricing is expensive for the hosted version.
- Version control is bad.
- If you have engineering capacity, it’s faster and simpler to write some more backend code if you already have a backend.
https://blog.golioth.io/a-2-geofence-wi-fi-location-here-com...
We also made a custom node for popular document/image/video ETL jobs like document-to-markdown, audio/video transcriptions with VLMs (Vision Language Models).
https://github.com/vlm-run/n8n-nodes-vlmrun
https://www.npmjs.com/package/@vlm-run/n8n-nodes-vlmrun/v/0....
Windmill OTOH supports a bunch of programming languages for steps (Go, Rust, Python, TS, etc.) and seems to have a much more “code first” approach. Reusable blocks are more like code templates compared to n8n.
Hard to say which is better. I really like the ability in windmill to just write code for each step and it comes across more powerful, but it feels less polished and intuitive when compared to n8n.
I'm not ashamed to admit than n8n feels more polished. There are a few reasons:
- Our team was and is still much smaller. We were 5 for the first 2 years, we are now 10 (year 3), and are continuing to hire to follow our growth.
- They have been around for longer and mature for longer, more time to iterate. We have reached some level of maturity recently and are now spending more iterations on polishing rather than new features.
- Their surface area is smaller, windmill does A LOT and expose more for the better or worse.
n8n has done a lot of things really well and although we have a different audience, there is a lot to learn from what they did very well and we have the upmost respect for them. We have some overlap, but I think ultimately we strive in different kind of orgs and will cohabit rather than compete.
I hadn't seen this term before but it looks interesting:
https://faircode.io/
Also, they require a CLA with copyright assignment so they can reuse your contributions in nonfree software. It’s always shady when companies do this.
The open source parts of Windmill are partially Apache and partially AGPL; there are some of us who additionally regard the AGPL as nonfree (because it’s really a EULA).
They sell a version of the software, of course they'd have a CLA. It's not shady, it's a prerequisite to be able to sell - because even if you assume no contributor will decide to retract their contribution later on, many of your customers will ask for guarantees that you fully own, control and can sell the code you're selling them
And whereas Windmill seems to be agpl + apache.
So that is what you are mentioning, right?
The main reasons I switched to n8n are it's open source, meaning I can run it locally without limits, and it supports code nodes in javascript and python. Make.com used to drive me bonkers when it took 10+ minutes to create all the nodes in the UI to handle loops, errors, etc. when I could normally just write a few lines of code to handle it.
Only downside to n8n vs other platforms is it's polling based vs instant trigger unlike Zapier's and Make.com's connectors. So if you're processing email, Google Sheets data, etc. you'll have more latency with n8n unless you add some custom middleware to handle instant triggers. But polling is actually a benefit in my case since I mostly run n8n locally through docker. Whenever I spin it up, it auto catches up on new data it hasn't yet processed.
n8n's AI nodes are first rate and more intuitive IMO than others. You can easily extend it with custom LangChain nodes as well if you're self hosting.
If you want to play around with n8n locally, this tool makes it easy: https://github.com/LLemonStack/llemonstack/ I created it to make it easier for me to spin up and down project stacks on the same machine.
Or see n8n's official repo for instructions on running locally: https://github.com/n8n-io/n8n
It's really easy to automate tasks and schedule things.
For example, I connected it to my UXWizz MySQL database, asked the AI in UXWizz to give me a query with the funnel conversions for today (visits/pricing/checkout/sales) compared to last week, copied that into n8n and made it send me an emoji-formatted daily Telegram message.
I am now using it to implement an AI chat-bot/support ticket responder, and I'm planning to migrate a Node.js auto-poster to it, so I can easily change the schedule/model/content of the post without having to edit any code.
I like that it has good documentation for integrations. For example, I was testing Google Ads, and I want to do conversion tracking without adding the Google JS to my page. Again, I used an MySQL connection to my UXWizz analytics dashboard to select the gclid for all visits that lead to a conversion event, then with n8n I upload those daily to a Google Sheet, which is then used by Google Ads to properly track conversions. The Google Sheet integration is not trivial (you need Google Cloud account, create an app, create oauth login, etc.), but the n8n docs were clear enough to follow and up-to-date enough to work.
On a personal level, I use it to automate booking a tennis court. It logs in, selects the date and time (pre-defined), adds a partner/opponent, books the court, pings a service that generates a calendar entry. If I decide to cancel the booking, it again pings the service and removes the calendar entry. I needed to bend some "nodes" to do what I need within the same workflow (such as create event runs once a day but update event runs in every 10 minutes).
In the past, I also used it to detect service interruptions with my ISP. I don't use that ISP anymore, so this workflow is redundant, but it was checking an API and if there's an entry, sending it as a push notification (via ntfy) to my phone.
I was able to hack a MVP of a new product in just one or two days.
Now, the company uses n8n for a lot of stuff, out ops team and finance team is expected to automatize manual work using n8n. From billing to financial conciliation to customer support. Also in product/dev team we implement some parts as flows, for things we expect to change a lot of features that are more internal.
But n8n requires a lot of time and care. It's not intended for high loads, they make a lot of breaking changes (more like new bugs, but is not fun).
We do all this self hosting in a k8s cluster.
In general I like it, but I think is still intended for a personal o early adopter.
Funny, one of my biz co-founder, learned and created a new biz just teaching it.