CVE-2026-33660 — CRITICAL (CVSS 10.0)

CISO Take

Any TensorFlow deployment running versions before 2.5.0 (or backport patches) is vulnerable to a type confusion crash—on shared training infrastructure or multi-tenant ML platforms this can be weaponized by a low-privileged local user to crash pipelines or potentially escalate. Patch immediately to TF 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4 depending on your pin. If patching is not immediate, enforce strict input validation at pipeline ingestion boundaries to reject non-numeric tensor types before they reach TF ops.

What is the risk?

CVSS 7.8 High with local attack vector and low privilege requirement makes this realistic in shared ML environments: JupyterHub clusters, multi-tenant training farms, and model-serving containers where multiple users or services share the same TF runtime. The C:H/I:H/A:H impact triad suggests that while the primary surface is a null pointer dereference (crash/DoS), the underlying type confusion (CWE-843) paired with memory corruption primitives raises the theoretical ceiling to code execution in specific runtime configurations. Not in CISA KEV and no public exploit weaponization observed, so real-world risk is moderate but non-trivial in shared infrastructure.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	= 2.14.0	`2.14.1`
187.3K OpenSSF 6.1 16 dependents Pushed 3d ago 40% patched ~3d to patch Full package profile →

Do you use n8n? You're affected.

Severity & Risk

CVSS 3.1

10.0 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 21% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Network

AC Low

PR Low

UI None

S Changed

C High

I High

A High

What should I do?

5 steps

Patch: upgrade to TF 2.5.0 or cherry-picked backports: 2.4.2, 2.3.3, 2.2.3, 2.1.4.
Validate tensor dtype at pipeline ingestion—reject non-numeric dtypes (strings, objects, booleans) before passing to TF ops using tf.debugging.assert_type() or equivalent guards.
Isolate TF runtimes on shared infrastructure using containers with separate user namespaces; prevent cross-tenant process access.
For TF Serving deployments, implement a preprocessing layer (e.g., input signature enforcement via SavedModel signatures) that restricts accepted dtypes to declared numeric types.
Detection: monitor for process crashes (SIGSEGV/SIGABRT) in TF serving or training processes—repeated crashes from the same input source are an exploitation signal.

CISA SSVC Assessment

Decision Track*

Exploitation none

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution DoS Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

8.4 - AI system risk management 9.1 - Monitoring, measurement, analysis and evaluation

NIST AI RMF

GOVERN 1.1 - Policies and procedures for AI risk management MANAGE 2.2 - Mechanisms for responding to and recovering from AI risks

Frequently Asked Questions

What is CVE-2026-33660?

Any TensorFlow deployment running versions before 2.5.0 (or backport patches) is vulnerable to a type confusion crash—on shared training infrastructure or multi-tenant ML platforms this can be weaponized by a low-privileged local user to crash pipelines or potentially escalate. Patch immediately to TF 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4 depending on your pin. If patching is not immediate, enforce strict input validation at pipeline ingestion boundaries to reject non-numeric tensor types before they reach TF ops.

Is CVE-2026-33660 actively exploited?

No confirmed active exploitation of CVE-2026-33660 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-33660?

1. Patch: upgrade to TF 2.5.0 or cherry-picked backports: 2.4.2, 2.3.3, 2.2.3, 2.1.4. 2. Validate tensor dtype at pipeline ingestion—reject non-numeric dtypes (strings, objects, booleans) before passing to TF ops using tf.debugging.assert_type() or equivalent guards. 3. Isolate TF runtimes on shared infrastructure using containers with separate user namespaces; prevent cross-tenant process access. 4. For TF Serving deployments, implement a preprocessing layer (e.g., input signature enforcement via SavedModel signatures) that restricts accepted dtypes to declared numeric types. 5. Detection: monitor for process crashes (SIGSEGV/SIGABRT) in TF serving or training processes—repeated crashes from the same input source are an exploitation signal.

What systems are affected by CVE-2026-33660?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, inference servers, shared ML notebooks, MLOps/CI-CD pipelines.

What is the CVSS score for CVE-2026-33660?

CVE-2026-33660 has a CVSS v3.1 base score of 10.0 (CRITICAL). The EPSS exploitation probability is 0.07%.

Technical Details

NVD Description

n8n is an open source workflow automation platform. Prior to versions 2.14.1, 2.13.3, and 1.123.26, an authenticated user with permission to create or modify workflows could use the Merge node's "Combine by SQL" mode to read local files on the n8n host and achieve remote code execution. The AlaSQL sandbox did not sufficiently restrict certain SQL statements, allowing an attacker to access sensitive files on the server or even compromise the instance. The issue has been fixed in n8n versions 2.14.1, 2.13.3, and 1.123.26. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, and/or disable the Merge node by adding `n8n-nodes-base.merge` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Exploitation Scenario

An adversary with low-privileged local access to a shared ML training cluster (e.g., a data scientist account on a JupyterHub or a compromised CI/CD pipeline runner) crafts a Python script that calls TF operations passing string or boolean tensors where float32/int32 are expected. The ndarray_tensor.cc conversion logic fails to reject the type mismatch and dereferences a null pointer, crashing the TF process. On a multi-tenant training server, repeated targeted crashes can disrupt competing users' training jobs (DoS). In a more sophisticated scenario, the type confusion primitive (CWE-843) could be chained with a heap grooming technique to achieve controlled memory writes, escalating to arbitrary code execution within the TF worker process and potentially breaking container isolation.