CVE-2026-27496
Uninitialized Memory Disclosure in n8n JavaScript Task Runner
Publication date: 2026-03-25
Last updated on: 2026-03-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| n8n | n8n | to 1.123.22 (exc) |
| n8n | n8n | From 2.0.0 (inc) to 2.9.3 (exc) |
| n8n | n8n | 2.10.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-908 | The product uses or accesses a resource that has not been initialized. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27496 is a high-severity vulnerability in the n8n workflow automation platform, specifically in its JavaScript Task Runner component.
An authenticated user with permission to create or modify workflows can exploit this vulnerability by causing the Task Runner to allocate uninitialized memory buffers.
These uninitialized buffers may contain residual data from the same Node.js process, including sensitive information such as data from prior requests, tasks, secrets, or tokens.
This leads to information disclosure of sensitive in-process data.
The vulnerability is exploitable only if Task Runners are enabled using the environment variable N8N_RUNNERS_ENABLED=true.
In external runner mode, the impact is limited to data within the external runner process.
The issue has been fixed in n8n versions 1.123.22, 2.10.1, and 2.9.3.
How can this vulnerability impact me? :
This vulnerability can lead to the disclosure of sensitive in-process memory data within the n8n platform.
An attacker with workflow creation or modification permissions can access residual data from uninitialized memory buffers, which may include secrets, tokens, and data from prior requests or tasks.
Such information disclosure can compromise the confidentiality of sensitive data handled by the platform.
The vulnerability has a high severity score (CVSS v4 base score 7.1) and can be exploited remotely with low complexity and no user interaction.
Temporary mitigations include limiting workflow creation and editing permissions to fully trusted users and using external runner mode to isolate the runner process, but these do not fully eliminate the risk.
Upgrading to the fixed versions is strongly recommended to fully remediate the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, users should upgrade n8n to versions 1.123.22, 2.10.1, 2.9.3 or later, where the issue has been fixed.
If upgrading is not immediately possible, administrators should consider the following temporary mitigations:
- Limit workflow creation and editing permissions to fully trusted users only.
- Use external runner mode by setting the environment variable N8N_RUNNERS_MODE=external to isolate the runner process.
Note that these workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows disclosure of sensitive in-process data such as secrets and tokens due to uninitialized memory buffers being accessible to authenticated users with workflow modification permissions.
Such information disclosure could potentially lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding sensitive data and preventing unauthorized access or leakage.
Organizations using affected versions of n8n should upgrade to patched versions or apply mitigations to reduce the risk of sensitive data exposure and help maintain compliance with these standards.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There are no specific detection commands or network indicators provided for this vulnerability. Detection primarily involves verifying the version of the n8n workflow automation platform in use and checking configuration settings related to the JavaScript Task Runner.
To detect if your system is vulnerable, you should:
- Check the installed n8n version to see if it is prior to 1.123.22, 2.9.3, or 2.10.1, as these versions contain the fix.
- Verify if the Task Runner feature is enabled by checking the environment variable N8N_RUNNERS_ENABLED. If set to true, the vulnerability could be exploitable.
- Check if the system is running in external runner mode (N8N_RUNNERS_MODE=external), which limits the impact.
Example commands to gather this information might include:
- To check the n8n version: `n8n --version`
- To check environment variables (Linux/macOS): `printenv | grep N8N_RUNNERS` or `echo $N8N_RUNNERS_ENABLED` and `echo $N8N_RUNNERS_MODE`
Since the vulnerability involves uninitialized memory buffers accessible via workflow creation or modification by authenticated users, monitoring for unusual workflow creation or modification activity by users with such permissions may also help detect exploitation attempts.