Now receiving an error in a set node that only days ago it was working great

WeAdaptAI_Team · February 28, 2026, 10:15pm

Describe the problem/error/question

I have been using this workflow for a while now and suddenly I am receiving an error. I am trying to pass inputs from Vapi in the set node field and this is the error I’m getting. [Cannot access “arguments” due to security concerns] as I mentioned I have been using this workflow and it has worked perfectly and I have changed nothing and am suddenly getting this error.

at is the error message (if any)?

[Cannot access “arguments” due to security concerns]

Just so it is understood, Vapi is sending data through a webhook to n8n, where I will use that data to update a calendar. All the information from the webhook is coming in correctly and the next step in the workflow is the Set node where you are seeing this error.

Anshul_Namdev · February 28, 2026, 10:29pm

Hi @WeAdaptAI_Team Welcome to the community!
I guess instead of using arguments in your flow try passing the data directly from the vapi’s webhook , as sometimes n8n blocks arguments

achamm · February 28, 2026, 10:33pm

This is just n8n blocking arguments because it’s a reserved JavaScript keyword, use bracket notation instead like $json.body.message.toolCalls[0].function["arguments"].full_name and it’ll work fine. Probably got caught by a security update they rolled out recently.

achamm · February 28, 2026, 10:33pm

Yeah this is an n8n sandbox thing, it blocks arguments because it’s a reserved JS keyword. Just use bracket notation to get around it like {{ $json.body.message.toolCalls[0].function["arguments"].full_name }} and do the same for any other fields under arguments, that should fix it right up.

WeAdaptAI_Team · February 28, 2026, 10:36pm

yes, I came to the same conclusion about arguments being the problem. I have even tried your suggestion in the past, but it still does not work. Any other suggestions would be greatly appreciated.

WeAdaptAI_Team · February 28, 2026, 10:37pm

I’m sorry, I do not understand what it is that you’re suggesting.

Anshul_Namdev · February 28, 2026, 10:38pm

Try mapping the fields directly from the webhook instead of JSON. I mean drag that input and drop it in the set node.

WeAdaptAI_Team · February 28, 2026, 10:39pm

That is exactly what I did initially and exactly what I’m still doing and it is giving me this error.

I have the webhook. And then the set node. Inside the set node I am dragging the input directly into the field set. This is where I get the error.

A_A4 · March 1, 2026, 9:12am

Hi @WeAdaptAI_Team

After reproducing your exact setup locally, I found that the easiest way to fix both problems at once is to ditch the Set node and drop a Code node right after your webhook, since it runs in a different environment that doesn’t block the keyword (screenshots attached).

Just paste this into the Code node:

const data = $input.first().json;

// safely grab the blocked keyword
const rawArgs = data.body.message.toolCalls[0].function['arguments'];

// parse the stringified json vapi sends
const parsedArgs = typeof rawArgs === 'string' ? JSON.parse(rawArgs) : rawArgs;

return {
  json: {
    full_name: parsedArgs.full_name
  }
};

Once you run this, it parses the Vapi data and spits out a clean full_name variable. You can then drag that clean output straight into your calendar node without hitting any security errors. Let me know if that gets it running for you!

Orionpax · March 2, 2026, 12:40am

@WeAdaptAI_Team you need to set an environment variable to allow access to these objects:

Add this environment variable to your n8n instance:

N8N_BLOCK_ENV_ACCESS_IN_NODE=false

If using Docker:
Add to your docker-compose.yml or docker run command:

environment:
  - N8N_BLOCK_ENV_ACCESS_IN_NODE=false

If using npm/self-hosted:
Add to your .env file or export it:

export N8N_BLOCK_ENV_ACCESS_IN_NODE=false

Then restart n8n for the change to take effect.

This setting reduces security restrictions. Only use it if you trust all users who can create/edit workflows.

Can you share what expression you’re using in the Set node that’s causing the error?

WeAdaptAI_Team · March 2, 2026, 12:55am

This was the exact workaround I ended up using last night. I just forgot to message in here that I came up with a workaround, and I was hoping that there was just another way. By the way, thank you A_A4 so much for taking the time to help with this solution. You’re awesome.

WeAdaptAI_Team · March 2, 2026, 12:57am

True Orionpax this is an option, but I like the added security. Which is why I ended up going with the above post. Thank you anyways for your help.

mnebel · March 2, 2026, 8:29am

I have the exact same issue with a set node, but accessing $json.caller.tmp throws the error

Cannot access "caller" due to security concerns [item 0]

Why was this added in the set node? I thought a set node is much more efficient in executions than a code node which is executed in a runner?

Is it possible to fix this while still using the set nodes?

Seems to be related to this new RCE prevention:

github.com/n8n-io/n8n

packages/%40n8n/expression-runtime/src/runtime/safe-globals.ts

master


      
          	'toString',
          	'valueOf',
          	'toLocaleString',
          	'hasOwnProperty',
          	'isPrototypeOf',
          	'propertyIsEnumerable',
          ]);
          
          export function __sanitize(value: unknown): unknown {
          	if (typeof value === 'string' && unsafeObjectProperties.has(value)) {
          		throw new ExpressionError(`Cannot access "${value}" due to security concerns`);
          	}
          	return value;
          }

mnebel · March 2, 2026, 9:40am

Okay, I made a quick fix myself by adding a new set node which makes a toJsonString() and replaces the field name “caller” to “_caller” and parseJson() again:

{{ $json.toJsonString().replaceAll(‘“caller”:’, ‘“_caller”:’).parseJson()._caller }}

This allows me to access the data later with _caller.

system · March 9, 2026, 9:41am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.