GHSA-xvh5-5qg4-x9qp: n8n has In-Process Memory Disclosure in its Task Runner
Summary
n8n (a workflow automation tool) has a security flaw where authenticated users who can create or modify workflows could access uninitialized memory buffers (chunks of computer memory that haven't been cleared), potentially exposing sensitive data like secrets or tokens from previous requests in the same process. This vulnerability only affects systems where Task Runners are enabled and can be limited in external runner mode (where the runner operates in a separate, isolated process).
Solution / Mitigation
The issue has been fixed in n8n versions >= 1.123.22, >= 2.10.1, and >= 2.9.3. Users should upgrade to one of these versions or later. If upgrading is not immediately possible, administrators can temporarily limit workflow creation and editing permissions to fully trusted users only, or use external runner mode by setting `N8N_RUNNERS_MODE=external`. The source notes these workarounds do not fully remediate the risk and should only be short-term measures.
Vulnerability Details
EPSS: 0.0%
Yes
March 25, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive
Original source: https://github.com/advisories/GHSA-xvh5-5qg4-x9qp
First tracked: March 25, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 85%