CVE-2026-27496: n8n has In-Process Memory Disclosure in its Task Runner

March 25, 2026 (updated March 27, 2026)

An authenticated user with permission to create or modify workflows could use the JavaScript Task Runner to allocate uninitialized memory buffers. Uninitialized buffers may contain residual data from the same Node.js process — including data from prior requests, tasks, secrets, or tokens — resulting in information disclosure of sensitive in-process data.

Task Runners must be enabled using N8N_RUNNERS_ENABLED=true.
In external runner mode, the impact is limited to data within the external runner process.

References

docs.n8n.io/hosting/configuration/task-runners
docs.n8n.io/hosting/securing/blocking-nodes
github.com/advisories/GHSA-xvh5-5qg4-x9qp
github.com/n8n-io/n8n
github.com/n8n-io/n8n/security/advisories/GHSA-xvh5-5qg4-x9qp
nvd.nist.gov/vuln/detail/CVE-2026-27496

Code Behaviors & Features

Detect and mitigate CVE-2026-27496 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →