Environment variable access in n8n
Why direct process.env access in Code nodes poses security risks
What is this issue?
Accessing process.env directly in Code nodes can expose sensitive environment variables (database passwords, API keys, internal URLs) and is restricted in n8n v2 task runners for security reasons.
Problematic patterns:
•process.env.DATABASE_PASSWORD in Code node•Reading AWS_SECRET_ACCESS_KEY directly•Accessing internal service URLs from env•Dumping process.env to logs or outputs
Why is this dangerous?
Credential exposure
Environment variables often contain critical secrets that shouldn't be accessible to workflow code.
Sandbox bypass
Direct env access can circumvent n8n's designed security boundaries.
v2 incompatibility
n8n v2 task runners block env access by default, breaking workflows that depend on it.
Information disclosure
Env variables can reveal internal infrastructure details to attackers.
How to fix it
- 1
Use n8n's variable system
Define variables in n8n's Settings → Variables and reference them with $env instead of process.env.
- 2
Use workflow settings
Set environment-specific values in workflow settings that are properly scoped.
- 3
Configure task runner allowlist
If env access is required, configure N8N_BLOCK_ENV_ACCESS_IN_NODE appropriately.
- 4
Audit env dependencies
Review what environment variables your Code nodes depend on and migrate to proper mechanisms.
Scan your workflow now
Upload your n8n workflow JSON and detect Code nodes accessing environment variables directly.