Task runner environment access
Why accessing process.env in task runners can expose sensitive server configuration
What is this issue?
When Code nodes or task runners access process.env directly, they can read sensitive environment variables like database passwords, API master keys, or encryption secrets that should only be accessible at the server level.
Dangerous patterns:
•process.env.DATABASE_URL in Code node•Reading N8N_ENCRYPTION_KEY from code•Accessing cloud provider credentials•Logging all environment variables
Why is this dangerous?
Credential exposure
Server-level secrets like database passwords can be accessed and exfiltrated.
Privilege escalation
Workflow authors gain access to secrets they shouldn't see.
Audit bypass
Environment access bypasses n8n's credential management and logging.
Multi-tenant risks
In shared environments, one user could access another's secrets.
How to fix it
- 1
Use n8n credentials
Store secrets in n8n's credential system instead of environment variables.
- 2
Restrict environment access
Configure N8N_BLOCK_ENV_ACCESS_IN_NODE=true to prevent env access in Code nodes.
- 3
Use external runner
Run Code nodes in isolated task runner containers with minimal env access.
- 4
Implement Code node allowlist
Use community nodes or custom extensions that limit available APIs.
Scan your workflow now
Upload your n8n workflow JSON and detect Code nodes accessing environment variables.