CVE-2026-27496
Received Received - Intake
Uninitialized Memory Disclosure in n8n JavaScript Task Runner

Publication date: 2026-03-25

Last updated on: 2026-03-27

Assigner: GitHub, Inc.

Description
n8n is an open source workflow automation platform. Prior to versions 1.123.22, 2.9.3, and 2.10.1, an authenticated user with permission to create or modify workflows could use the JavaScript Task Runner to allocate uninitialized memory buffers. Uninitialized buffers may contain residual data from the same Node.js process β€” including data from prior requests, tasks, secrets, or tokens β€” resulting in information disclosure of sensitive in-process data. Task Runners must be enabled using `N8N_RUNNERS_ENABLED=true`. In external runner mode, the impact is limited to data within the external runner process. The issue has been fixed in n8n versions 1.123.22, 2.10.1 , and 2.9.3. Users should upgrade to this version or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, and/or use external runner mode (`N8N_RUNNERS_MODE=external`) to isolate the runner process. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-03-27
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-27496
EUVD
EUVD-2026-15938
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
n8n n8n to 1.123.22 (exc)
n8n n8n From 2.0.0 (inc) to 2.9.3 (exc)
n8n n8n 2.10.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-908 The product uses or accesses a resource that has not been initialized.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows disclosure of sensitive in-process data such as secrets and tokens due to uninitialized memory buffers being accessible to authenticated users with workflow modification permissions.

Such information disclosure could potentially lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding sensitive data and preventing unauthorized access or leakage.

Organizations using affected versions of n8n should upgrade to patched versions or apply mitigations to reduce the risk of sensitive data exposure and help maintain compliance with these standards.

Detection Guidance

There are no specific detection commands or network indicators provided for this vulnerability. Detection primarily involves verifying the version of the n8n workflow automation platform in use and checking configuration settings related to the JavaScript Task Runner.

To detect if your system is vulnerable, you should:

  • Check the installed n8n version to see if it is prior to 1.123.22, 2.9.3, or 2.10.1, as these versions contain the fix.
  • Verify if the Task Runner feature is enabled by checking the environment variable N8N_RUNNERS_ENABLED. If set to true, the vulnerability could be exploitable.
  • Check if the system is running in external runner mode (N8N_RUNNERS_MODE=external), which limits the impact.

Example commands to gather this information might include:

  • To check the n8n version: `n8n --version`
  • To check environment variables (Linux/macOS): `printenv | grep N8N_RUNNERS` or `echo $N8N_RUNNERS_ENABLED` and `echo $N8N_RUNNERS_MODE`

Since the vulnerability involves uninitialized memory buffers accessible via workflow creation or modification by authenticated users, monitoring for unusual workflow creation or modification activity by users with such permissions may also help detect exploitation attempts.

Executive Summary

CVE-2026-27496 is a high-severity vulnerability in the n8n workflow automation platform, specifically in its JavaScript Task Runner component.

An authenticated user with permission to create or modify workflows can exploit this vulnerability by causing the Task Runner to allocate uninitialized memory buffers.

These uninitialized buffers may contain residual data from the same Node.js process, including sensitive information such as data from prior requests, tasks, secrets, or tokens.

This leads to information disclosure of sensitive in-process data.

The vulnerability is exploitable only if Task Runners are enabled using the environment variable N8N_RUNNERS_ENABLED=true.

In external runner mode, the impact is limited to data within the external runner process.

The issue has been fixed in n8n versions 1.123.22, 2.10.1, and 2.9.3.

Impact Analysis

This vulnerability can lead to the disclosure of sensitive in-process memory data within the n8n platform.

An attacker with workflow creation or modification permissions can access residual data from uninitialized memory buffers, which may include secrets, tokens, and data from prior requests or tasks.

Such information disclosure can compromise the confidentiality of sensitive data handled by the platform.

The vulnerability has a high severity score (CVSS v4 base score 7.1) and can be exploited remotely with low complexity and no user interaction.

Temporary mitigations include limiting workflow creation and editing permissions to fully trusted users and using external runner mode to isolate the runner process, but these do not fully eliminate the risk.

Upgrading to the fixed versions is strongly recommended to fully remediate the vulnerability.

Mitigation Strategies

To mitigate this vulnerability immediately, users should upgrade n8n to versions 1.123.22, 2.10.1, 2.9.3 or later, where the issue has been fixed.

If upgrading is not immediately possible, administrators should consider the following temporary mitigations:

  • Limit workflow creation and editing permissions to fully trusted users only.
  • Use external runner mode by setting the environment variable N8N_RUNNERS_MODE=external to isolate the runner process.

Note that these workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27496. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart