TL;DR. This is an n8n template audit at scale. We pulled 12,750 n8n workflow templates: the top 1,000 most-viewed from n8n.io , plus the entire JSON catalog of the eight largest community repositories on GitHub. We ran them through AIronClaw 's n8n workflow scanner , the same check static-analysis catalog the product runs against live customer n8n instances. The scanner flagged 34,880 findings across the combined corpora: 14 critical, 6,174 high, 17,406 medium, 11,286 low . 716 workflows have at least one finding an attacker on the public internet can reach pre-authentication. Then we picked six of the worst offenders the scanner flagged and reproduced the attacks end to end on a local instance. These six are the demos we can show start-to-finish without significant edits to the template. 12,750 workflows scanned across two corpora. n8n.io top 1,000 : 30M cumulative views. Eight GitHub repositories combined for 88K stars and 13K workflow JSONs (11K unique after dedup): Zie619/n8n-workflows : 54,414 stars, 2,066 workflows enescingoz/awesome-n8n-templates : 22,226 stars, 291 workflows wassupjay/n8n-free-templates : 5,802 stars, 202 workflows nusquama/n8nworkflows.xyz : 2,354 stars, 8,584 workflows lucaswalter/n8n-ai-automations : 1,487 stars, 38 workflows Marvomatic/n8n-templates : 1,484 stars, 21 workflows felipfr/awesome-n8n-workflows : 391 stars, 2,044 workflows lqshow/awesome-n8n-workflows : 136 stars, 15 workflows 34,880 static-analysis findings on the combined corpora: 14 critical, 6,174 high, 17,406 medium, 11,286 low. 716 workflows have at least one vulnerability an attacker on the public internet can reach pre-authentication: server-side request forgery (the worker fetches the URL the request supplies) or SQL / NoSQL injection (the database runs a query the request shapes). 6 end-to-end demos, covering 5 distinct harm classes . Every one reproduced with a synthetic local target, a sentinel-marker payload, and the captured execution log. n8n template audit scope: what we scanned and what we found The corpus is 12,750 unique n8n workflow templates . Adopters pull templates, configure and use them. During the audit, we found the following bugs and vulnerabilities: Check Total findings High severity Workflows affected SSRF (URL host bound to external data) 2,482 671 1,472 SQL / NoSQL injection in DB query 283 47 114 Shell command injection ( executeCommand or ssh ) 270 96 121 Prompt injection in AI agent (prompt bound to external data) 5,293 3,202 3,484 Webhook without authentication 2,527 2,527 2,171 URL path / query bound to external data 2,833 760 1,507 PII / secrets in pin or parameter data 5,079 163 2,016 Hardcoded secrets in node parameters 106 45 53 Active workflow with no error handling 10,927 0 10,927 HTTP without TLS 799 0 351 2,488 workflows out of 12,750 (19.5%) are real-exploitable : at least one high-severity SSRF, SQL injection, or AI-agent prompt-injection finding an attacker on the public internet can reach pre-authentication. Two more buckets sit close behind. 38 distinct workflows ship a shell-command sink ( executeCommand or ssh ) whose command is built from request-tainted data , the RCE class. 2,171 workflows expose a public webhook with no authentication : the front door has no lock, even when nothing harmful sits behind it today. The remaining checks (path-injection, sensitive data in pin data, plain HTTP, no error handling) are also reported but don't all map directly to pre-auth attacker primitives. The "no error handling" count is large because n8n requires the operator to opt in to error workflows; most templates ship without one. About the methodology: what "as-shipped" actually means Every "high-severity" tag, every count, every demo target we picked came out of the scanner first. The hand work was reproducing the attacks the scanner predicted on a local n8n. An n8n template is not a finished product. It's a JSON file an adopter clones, imports, wires credentials to, and activates. Some "templates" run unchanged the moment you wire your credentials. Others have setup steps the README explicitly tells you to perform (set a chatTrigger.public to true , point an IMAP credential at your mailbox, change a placeholder Set node value). The setup steps are not a fix for a bug; they are how the template is supposed to be deployed. For this audit, we ran each demo against the workflow JSON as published, with only the configuration steps a real adopter would also have to perform. We label each demo below as one of three categories: 🟢 Verbatim : workflow JSON imported with no changes. Only credentials wired. This is what an adopter who clones and "just runs it" gets. 🟡 README setup : workflow JSON with only the setup steps the template's README describes (or that the workflow's own placeholder fields strongly imply, e.g. an empty repoUrl field obviously meant to be filled in). Anyone who deploys this template ends up at this state. If you are looking for the fastest way to turn that RCE...