CVE-2026-27496

| EUVD-2026-15938 HIGH
2026-03-25 https://github.com/n8n-io/n8n GHSA-xvh5-5qg4-x9qp
7.1
CVSS 4.0
Share

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 25, 2026 - 17:01 vuln.today
EUVD ID Assigned
Mar 25, 2026 - 17:01 euvd
EUVD-2026-15938
CVE Published
Mar 25, 2026 - 17:00 nvd
HIGH 7.1

Tags

Node.js Information Disclosure

Description

## Impact An authenticated user with permission to create or modify workflows could use the JavaScript Task Runner to allocate uninitialized memory buffers. Uninitialized buffers may contain residual data from the same Node.js process - including data from prior requests, tasks, secrets, or tokens - resulting in information disclosure of sensitive in-process data. - Task Runners must be enabled using `N8N_RUNNERS_ENABLED=true`. - In external runner mode, the impact is limited to data within the external runner process. ## Patches The issue has been fixed in n8n versions >= 1.123.22, >= 2.10.1 , and >= 2.9.3. Users should upgrade to this version or later to remediate the vulnerability. ## Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Limit workflow creation and editing permissions to fully trusted users only. - Use external runner mode (`N8N_RUNNERS_MODE=external`) to isolate the runner process. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Analysis

An information disclosure vulnerability exists in n8n workflow automation software when Task Runners are enabled, allowing authenticated users with workflow creation or modification permissions to allocate uninitialized memory buffers through the JavaScript Task Runner. These buffers may contain residual data from the same Node.js process including secrets, tokens, and data from prior requests, leading to sensitive information exposure. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 24 hours: Inventory all n8n deployments with Task Runners enabled and identify users with workflow creation/modification permissions; assess whether production workflows contain sensitive credentials. Within 7 days: Disable Task Runner functionality if not operationally critical, or implement strict access controls limiting workflow modification to essential personnel only; review audit logs for suspicious workflow modifications. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

36
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +36
POC: 0

Share

CVE-2026-27496 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy