AI Threat Alert

CVE-2026-27496: n8n: uninitialized buffer leaks secrets via Task Runner

GHSA-xvh5-5qg4-x9qp MEDIUM
Published March 25, 2026
CISO Take

Authenticated n8n users with workflow edit rights can read raw Node.js process memory — including API keys, tokens, and secrets from other workflows — by allocating uninitialized buffers in the JavaScript Task Runner. This is a one-liner exploit for any insider or compromised account. Upgrade to 1.123.22/2.9.3/2.10.1 immediately and audit who holds workflow editor permissions today.

What is the risk?

Despite CVSS 6.5 (Medium), the confidentiality impact is effectively HIGH in AI automation contexts. n8n commonly holds LLM provider API keys (OpenAI, Anthropic), database credentials, webhook secrets, and OAuth tokens in-process. Any authenticated user with workflow edit access can exploit this with trivial JavaScript knowledge — no privilege escalation or complex chain required. Risk is amplified where n8n acts as an AI agent orchestrator, aggregating credentials for multiple downstream AI services.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
n8n npm < 1.123.22 1.123.22
187.3K OpenSSF 6.1 16 dependents Pushed 5d ago 43% patched ~3d to patch Full package profile →

Do you use n8n? You're affected.

Severity & Risk

CVSS 3.1
6.5 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 11% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I None
A None

What should I do?

6 steps

  1. PATCH

    Upgrade n8n to 1.123.22 (v1 branch), 2.9.3, or 2.10.1 — fixes are available across all active release lines.

  2. DETECT

    Audit N8N_RUNNERS_ENABLED=true instances across your environment; prioritize those with untrusted or broad workflow editor access.

  3. WORKAROUND (if patching is delayed): Restrict workflow creation/editing to explicitly trusted users via n8n's role-based access controls.

  4. ISOLATE

    Switch to external runner mode (N8N_RUNNERS_MODE=external) to limit memory exposure to the runner subprocess only.

  5. ROTATE

    Assume any API keys, tokens, or credentials processed by affected n8n instances may be compromised — rotate proactively.

  6. MONITOR

    Review workflow audit logs for unexpected JavaScript buffer allocations or anomalous large buffer reads in Task Runner steps.

CISA SSVC Assessment

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Leakage Data Extraction Agent Framework AML.T0037 AML.T0050 AML.T0055 AML.T0083

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.6 - Protection of AI system information
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain the value of deployed AI are evaluated and applied
OWASP LLM Top 10
LLM02:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-27496?

Authenticated n8n users with workflow edit rights can read raw Node.js process memory — including API keys, tokens, and secrets from other workflows — by allocating uninitialized buffers in the JavaScript Task Runner. This is a one-liner exploit for any insider or compromised account. Upgrade to 1.123.22/2.9.3/2.10.1 immediately and audit who holds workflow editor permissions today.

Is CVE-2026-27496 actively exploited?

No confirmed active exploitation of CVE-2026-27496 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-27496?

1. PATCH: Upgrade n8n to 1.123.22 (v1 branch), 2.9.3, or 2.10.1 — fixes are available across all active release lines. 2. DETECT: Audit N8N_RUNNERS_ENABLED=true instances across your environment; prioritize those with untrusted or broad workflow editor access. 3. WORKAROUND (if patching is delayed): Restrict workflow creation/editing to explicitly trusted users via n8n's role-based access controls. 4. ISOLATE: Switch to external runner mode (N8N_RUNNERS_MODE=external) to limit memory exposure to the runner subprocess only. 5. ROTATE: Assume any API keys, tokens, or credentials processed by affected n8n instances may be compromised — rotate proactively. 6. MONITOR: Review workflow audit logs for unexpected JavaScript buffer allocations or anomalous large buffer reads in Task Runner steps.

What systems are affected by CVE-2026-27496?

This vulnerability affects the following AI/ML architecture patterns: AI agent orchestration platforms, Workflow automation pipelines, LLM API integration layers, RAG data ingestion pipelines, Multi-tool AI agent frameworks.

What is the CVSS score for CVE-2026-27496?

CVE-2026-27496 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.03%.

Technical Details

NVD Description

n8n is an open source workflow automation platform. Prior to versions 1.123.22, 2.9.3, and 2.10.1, an authenticated user with permission to create or modify workflows could use the JavaScript Task Runner to allocate uninitialized memory buffers. Uninitialized buffers may contain residual data from the same Node.js process — including data from prior requests, tasks, secrets, or tokens — resulting in information disclosure of sensitive in-process data. Task Runners must be enabled using `N8N_RUNNERS_ENABLED=true`. In external runner mode, the impact is limited to data within the external runner process. The issue has been fixed in n8n versions 1.123.22, 2.10.1 , and 2.9.3. Users should upgrade to this version or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, and/or use external runner mode (`N8N_RUNNERS_MODE=external`) to isolate the runner process. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Exploitation Scenario

An attacker with a low-privilege n8n account (or a compromised employee account with 'editor' rights) creates a new workflow containing an Execute Code node backed by the JavaScript Task Runner. The payload is trivial: `const buf = Buffer.allocUnsafe(1024 * 1024); return buf.toString('utf8');`. Executed repeatedly, this reads megabytes of uninitialized Node.js heap memory populated by prior workflow runs. In an AI orchestration environment, this memory likely contains plaintext API keys for OpenAI/Anthropic (from credential store hydration), database connection strings used by AI data ingestion workflows, and session tokens from user-authenticated webhook triggers. The attacker can exfiltrate these credentials to pivot laterally into LLM services, AI databases, or upstream SaaS integrations — all without leaving obvious traces in n8n's execution logs.

Weaknesses (CWE)

CWE-908 Primary CWE-908 Use of Uninitialized Resource Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

Timeline

Published
March 25, 2026
Last Modified
March 27, 2026
First Seen
March 25, 2026

Related Vulnerabilities

CRITICAL CVE-2026-33663 10.0

n8n: member role steals plaintext HTTP credentials

Same package: n8n
CRITICAL CVE-2026-33660 10.0

TensorFlow: type confusion NPD in tensor conversion

Same package: n8n
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same package: n8n
CRITICAL CVE-2026-27494 9.9

n8n: security flaw enables exploitation

Same package: n8n
CRITICAL CVE-2026-27495 9.9

n8n: Code Injection enables RCE

Same package: n8n
Back to Threat Feed