CVE-2026-27496

Name of the Vulnerable Software and Affected Versions n8n versions prior to 1.123.22 n8n versions prior to 2.9.3 n8n versions prior to 2.10.1

Description An authenticated user with permission to create or modify workflows could allocate uninitialized memory buffers using the JavaScript Task Runner. These uninitialized buffers may contain residual data from the same Node.js process, including data from prior requests, tasks, secrets, or tokens, potentially leading to information disclosure of sensitive in-process data. The Task Runners must be enabled using the N8N RUNNERS ENABLED=true variable. When using external runner mode, the impact is limited to data within the external runner process.

Recommendations Upgrade to n8n version 1.123.22 or later. Upgrade to n8n version 2.9.3 or later. Upgrade to n8n version 2.10.1 or later. If upgrading is not immediately possible, limit workflow creation and editing permissions to fully trusted users only. If upgrading is not immediately possible, use external runner mode (N8N RUNNERS MODE=external) to isolate the runner process.