The most expensive tool I ever used was completely free.
Until they changed the rules.
One year invested - and then this
After one year running n8n in production, my debugging feature was simply gone one morning. Not broken. Not hidden. Gone. Turns out: debugging is now paid. Documented somewhere in a release note. That I was never going to find.
The pattern almost nobody recognizes
You test something in good faith. It is free, it is powerful, and it seems completely unrestricted. You build on top of it. You rely on it. You recommend it to others. And then - at some point - the vendor changes the rules.
Not secretly. It is written somewhere. Just not where you happened to be looking.
Community Edition = internal use only
The free Community Edition may only be used internally. Anyone running n8n for client projects where clients have direct access needs a paid plan - a few hundred dollars per month. This is in the terms of service. At the very bottom.
Three CVEs with CVSS score 10/10
Germany's Federal Office for Information Security (BSI) and CERT-Bund have issued multiple warnings about critical n8n vulnerabilities. Three CVEs reached the maximum score of 10/10, enabling remote code execution on self-hosted servers. Anyone self-hosting n8n must patch regularly - or risk their server becoming a zombie machine.
Debugging: free today, paid tomorrow
One of the most-used Community Edition features - workflow debugging - was moved behind a paywall. It is now available again after free registration. That is exactly the pattern: the rules change. Sometimes for the better, sometimes not.
N8N is far from alone in this
The chessboard of free AI tools shifts constantly. What is advertised as a free feature today may appear on tomorrow's invoice. I will leave the conclusion to you.
What this means
Never rely on today's rules. Today's rules are tomorrow's fine print.
Of course you can protect yourself: check license models before building, document dependencies, subscribe to changelogs. But if you have ever tried to hold your lawyer accountable after losing a court case - then you know: most experts do not guarantee results. The same applies to tool vendors.
The key takeaway
Never rely on a free tool without understanding its license model, security track record, and change history. The investment in understanding is cheaper than the consequences of not understanding.
Sources
-
BSI CERT-Bund: Security Advisory n8n (WID-SEC-2026-0016)
Documents three CVEs with CVSS score 10/10 enabling remote code execution:
wid.cert-bund.de - WID-SEC-2026-0016 -
BSI CERT-Bund: Further Security Advisories (WID-SEC-2026-0040)
Second BSI advisory on critical n8n vulnerabilities:
wid.cert-bund.de - WID-SEC-2026-0040 -
The Hacker News: Critical n8n Vulnerability (CVSS 10.0) Allows Unauthenticated Takeover
Coverage of CVE-2026-21858 "Ni8mare" and its impact on an estimated 100,000 servers:
thehackernews.com - Critical n8n vulnerability CVSS 10.0 -
Heise Online: Two critical vulnerabilities threaten n8n
Heise reports on CVE-2026-21877 and CVE-2026-21858, both rated at maximum CVSS score:
heise.de - Two critical vulnerabilities in n8n -
SecurityWeek: Critical Vulnerability Exposes n8n Instances to Takeover Attacks
Analysis of the attack surface and affected n8n deployments:
securityweek.com - n8n takeover attacks -
n8n Community Edition Features (official documentation)
Overview of which features are available in the Community Edition (after registration):
docs.n8n.io - Community Edition features -
n8n Sustainable Use License (official license terms)
Explains that the Community Edition is licensed for internal, non-commercial use only:
docs.n8n.io - Sustainable Use License -
n8n Pricing for Client Projects
Anyone wanting clients to access n8n workflows directly needs a paid plan:
n8n.io/pricing