Description
n8n is an open source workflow automation platform. Prior to versions 1.123.22, 2.9.3, and 2.10.1, an authenticated user with permission to create or modify workflows could use the JavaScript Task Runner to allocate uninitialized memory buffers. Uninitialized buffers may contain residual data from the same Node.js process — including data from prior requests, tasks, secrets, or tokens — resulting in information disclosure of sensitive in-process data. Task Runners must be enabled using `N8N_RUNNERS_ENABLED=true`. In external runner mode, the impact is limited to data within the external runner process. The issue has been fixed in n8n versions 1.123.22, 2.10.1 , and 2.9.3. Users should upgrade to this version or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, and/or use external runner mode (`N8N_RUNNERS_MODE=external`) to isolate the runner process. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
Published: 2026-03-25
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: In-Process Memory Disclosure
Action: Immediate Patch
AI Analysis

Impact

An authenticated user who can create or modify workflows can trigger the JavaScript Task Runner to allocate uninitialized memory buffers. These buffers may contain residual data from the same Node.js process, including secrets, tokens, or other sensitive information. The flaw is a source of information disclosure, classified by CWE-908.

Affected Systems

The vulnerability affects the n8n-io n8n automation platform. Versions prior to 1.123.22, 2.9.3, and 2.10.1 are susceptible. The issue was fixed in the corresponding patch releases, which should be applied to remove the risk.

Risk and Exploitability

The CVSS score of 7.1 indicates moderate severity, while the EPSS score of less than 1% suggests a low likelihood of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires authentication and the ability to create or edit workflows, and Task Runners must be enabled. Attackers could read residual memory data, potentially exposing confidential information.

Generated by OpenCVE AI on March 27, 2026 at 21:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to n8n version 1.123.22, 2.9.3, or 2.10.1 or later to eliminate the flaw.
  • If upgrade is not immediately possible, restrict workflow creation and editing permissions to fully trusted users only.
  • Alternatively, enable external runner mode by setting N8N_RUNNERS_MODE=external to isolate the runner process and limit the scope of any data leakage.

Generated by OpenCVE AI on March 27, 2026 at 21:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xvh5-5qg4-x9qp n8n has In-Process Memory Disclosure in its Task Runner
History

Fri, 27 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*
cpe:2.3:a:n8n:n8n:2.10.0:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared N8n
N8n n8n
Vendors & Products N8n
N8n n8n

Wed, 25 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Description n8n is an open source workflow automation platform. Prior to versions 1.123.22, 2.9.3, and 2.10.1, an authenticated user with permission to create or modify workflows could use the JavaScript Task Runner to allocate uninitialized memory buffers. Uninitialized buffers may contain residual data from the same Node.js process — including data from prior requests, tasks, secrets, or tokens — resulting in information disclosure of sensitive in-process data. Task Runners must be enabled using `N8N_RUNNERS_ENABLED=true`. In external runner mode, the impact is limited to data within the external runner process. The issue has been fixed in n8n versions 1.123.22, 2.10.1 , and 2.9.3. Users should upgrade to this version or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, and/or use external runner mode (`N8N_RUNNERS_MODE=external`) to isolate the runner process. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
Title n8n has In-Process Memory Disclosure in its Task Runner
Weaknesses CWE-908
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

N8n N8n
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T20:09:07.795Z

Reserved: 2026-02-19T19:46:03.542Z

Link: CVE-2026-27496

cve-icon Vulnrichment

Updated: 2026-03-25T20:09:03.708Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T18:16:31.310

Modified: 2026-03-27T19:48:33.473

Link: CVE-2026-27496

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-29T20:28:18Z

Weaknesses