Sign in Subscribe
Self-Hosted Weekly

Self-Hosted Weekly: Week 26, 2026. n8n RCE, Ingress-Nginx Retired, KubeCon Goes Agent

Michael Soto

5 min read
Share
Self-Hosted Weekly: Week 26, 2026. n8n RCE, Ingress-Nginx Retired, KubeCon Goes Agent

Two remote-code-execution holes in tools you probably run, a Kubernetes mainstay officially put in the ground, and the whole industry deciding that agents need their own infrastructure. This was not a quiet week. If you only do one thing after reading this, patch n8n and Open WebUI. Then come back for the rest. Here is what mattered between June 20 and 26.

The week at a glance

Story Why it matters
n8n RCE (CVE-2026-25049) Critical remote code execution, patch to 2.5.2 now
Open WebUI RCE (CVE-2025-64496) Account takeover via Direct Connections, fixed in 0.6.35
ingress-nginx retired No more security fixes, time to migrate
KubeCon India Agents, MCP, and GPU orchestration take over

1. n8n ships a critical RCE fix (CVE-2026-25049)

n8n disclosed a critical vulnerability in how it sanitizes workflow expressions. The flaw assumes property-access keys are always strings, and an attacker who can influence an expression can escape the sandbox into full remote code execution on the host. Everything before 2.5.2 and 1.123.17 is affected.

My take: n8n is one of the most-deployed self-hosted tools on the planet, and "expression evaluation" is its whole personality, so this is about as bad as it gets for them. The saving grace is the fix is a version bump. If your n8n is reachable by anyone you do not completely trust, treat this as a drop-everything upgrade. This is the second serious n8n expression bug in recent memory, which is a fair reminder that powerful automation engines are also powerful attack surfaces.

2. Open WebUI account takeover, chained to RCE (CVE-2025-64496)

Open WebUI, the go-to front end for self-hosted LLMs, had a high-severity flaw in its Direct Connections feature. A malicious external model server could inject JavaScript through server-sent events, steal your auth token, take over your account, and when chained with the Functions API, reach remote code execution on the backend. Versions 0.6.34 and earlier are affected; 0.6.35 blocks the dangerous SSE events.

My take: The catch is that you have to be lured into connecting to a hostile model server, so this is not wormable. But "just connect to my cool new model endpoint" is exactly the kind of thing people paste into a chat UI without thinking. Update to 0.6.35, and if you do not use Direct Connections, turn the feature off entirely.

3. ingress-nginx is officially retired

It is done. As of March 2026 the Kubernetes ingress-nginx controller is retired: the repo is archived, read-only, and will receive no further releases or security patches. The intended successor, InGate, never matured and is being wound down too. The recommended path forward is the Gateway API, with controllers like Traefik, Envoy Gateway, and Contour.

My take: A huge number of clusters still quietly run ingress-nginx, and "no more security fixes" on an internet-facing component is not a position you want to be in. There is no drop-in heir, which is the uncomfortable part, so this is a migration project, not a swap. The upside is the Gateway API is genuinely better designed. Start planning the move now rather than the week a CVE drops with no patch coming.

4. KubeCon India: it is all agents now

KubeCon India wrapped on June 19, and the throughline was impossible to miss. The hard problems on stage were GPU orchestration, running thousands of AI jobs without the bill exploding, and agent infrastructure: new gRPC transports for MCP, security layers around agents, and private MCP registries. Kubernetes is positioning itself as the place you run agents and inference at scale.

My take: A year ago this track would have been a curiosity. Now it is the main event. MCP showing up "constantly" matches what we are seeing ourselves, and it is why we have been writing about it. If you run infrastructure, agent-shaped workloads are coming to your cluster whether you invited them or not.

5. Google open-sources GKE Agent Sandbox

Right on theme, Google open-sourced Agent Sandbox, a Kubernetes SIG Apps subproject that uses gVisor kernel isolation to run untrusted agent-generated code, reportedly spinning up 300 sandboxes per second. It pairs with an open-source GKE MCP Server that lets agents manage and monitor clusters through a standard interface.

My take: This is the right problem to be solving. The moment you let an agent execute code, "where does that code run" becomes the entire security story, and the answer cannot be "directly on your node." Seeing strong sandboxing land as open source, not a proprietary cloud lock-in, is exactly what the self-hosted world needs.

6. UN Open Source Week 2026

The UN held its Open Source Week at headquarters in New York from June 22 to 26, with days dedicated to open source and AI, Digital Public Infrastructure, and Open Source Programme Offices. The framing throughout was open source as a foundation for digital sovereignty and the Sustainable Development Goals.

My take: It is easy to be cynical about a UN event, but open source as public infrastructure is a real and growing policy position, especially in Europe. When governments start treating self-hosted and open code as a sovereignty requirement rather than a hobby, that is tailwind for everyone reading this.

7. Immich v3 enters release candidates

Immich, the self-hosted Google Photos replacement, is closing in on its v3 release, now at rc.2 with stable still on the 2.x line. The headline additions are non-destructive mobile editing and a new workflows feature for automating actions across your library.

My take: Immich keeps setting the bar for what a polished self-hosted app feels like. Mobile editing is the kind of quality-of-life feature that pushes people off cloud photo services for good. You can spin up Immich on Elestio to test the RC on a copy, but let it reach stable before you point your only library at it.

8. Mastodon 4.6 ships

On the fediverse side, Mastodon pushed a 4.6 patch with new account-update API fields for avatar and header descriptions, plus a broad sweep of web UI, login, emoji, media, and profile fixes.

My take: Unglamorous, and that is fine. Steady accessibility and API improvements are how a mature platform keeps its developers and instance admins happy. The fediverse does not need fireworks every release; it needs to keep working.

What we're watching next week

  • ingress-nginx migration guides. Expect a wave of "how we moved to Gateway API" write-ups as the reality sinks in.
  • More agent-sandbox tooling. With Google open-sourcing Agent Sandbox, watch for self-hostable alternatives and gVisor/Firecracker comparisons.
  • Immich v3 stable. The RCs are close; the final could land any week now.
  • Fallout from the n8n and Open WebUI bugs. Watch for scans and exploit write-ups targeting unpatched instances.

The bottom line

If there is a theme this week, it is that self-hosted no longer means small-time. The tools we run have real attack surfaces, the orchestration world is rebuilding itself around agents, and even the UN is talking about open source as critical infrastructure. All of that is a sign the ecosystem is growing up. Growing up means patching on time. Update n8n and Open WebUI today, and start your ingress-nginx exit plan.

Thanks for reading ❤️ See you next Friday 👋

Sign up for more like this.

Enter your email
Subscribe