📧 info@ciso.sa | 📱 +966550939344 | Riyadh, Kingdom of Saudi Arabia
About FAQ Contact Us Terms of Service Privacy Policy 🌐 العربية
🔐

Welcome — Sign in or create an account for full access.

🔑 Sign In ✨ Register
🌐 العربية Sign In Create Account
🔧 Scheduled Maintenance — Saturday 2:00-4:00 AM AST. Some features may be temporarily unavailable.    ●   
💎
Pro Plan 50% Off Unlock all AI features, unlimited reports, and priority support. Upgrade
Search Center
ESC to close
navigate open Ctrl+K search
CISO Consulting
Global supply_chain Software Development and Technology CRITICAL 58m Global data_breach Multiple Sectors HIGH 1h Global vulnerability Consumer Electronics / Mobile Devices CRITICAL 2h Global phishing Cybersecurity / Network Security CRITICAL 2h Global malware Critical Infrastructure / Government HIGH 2h Global supply_chain Cybersecurity / Software Supply Chain CRITICAL 3h Global general Multiple sectors MEDIUM 5h Global general Multiple sectors MEDIUM 5h Global malware Information Technology and Telecommunications HIGH 5h Global phishing,ransomware,general Multiple sectors across Asia-Pacific region HIGH 6h Global supply_chain Software Development and Technology CRITICAL 58m Global data_breach Multiple Sectors HIGH 1h Global vulnerability Consumer Electronics / Mobile Devices CRITICAL 2h Global phishing Cybersecurity / Network Security CRITICAL 2h Global malware Critical Infrastructure / Government HIGH 2h Global supply_chain Cybersecurity / Software Supply Chain CRITICAL 3h Global general Multiple sectors MEDIUM 5h Global general Multiple sectors MEDIUM 5h Global malware Information Technology and Telecommunications HIGH 5h Global phishing,ransomware,general Multiple sectors across Asia-Pacific region HIGH 6h Global supply_chain Software Development and Technology CRITICAL 58m Global data_breach Multiple Sectors HIGH 1h Global vulnerability Consumer Electronics / Mobile Devices CRITICAL 2h Global phishing Cybersecurity / Network Security CRITICAL 2h Global malware Critical Infrastructure / Government HIGH 2h Global supply_chain Cybersecurity / Software Supply Chain CRITICAL 3h Global general Multiple sectors MEDIUM 5h Global general Multiple sectors MEDIUM 5h Global malware Information Technology and Telecommunications HIGH 5h Global phishing,ransomware,general Multiple sectors across Asia-Pacific region HIGH 6h
Vulnerabilities

CVE-2026-27496

Medium
n8n is an open source workflow automation platform. Prior to versions 1.123.22, 2.9.3, and 2.10.1, an authenticated user with permission to create or modify workflows could use the JavaScript Task Run
CWE-908 — Weakness Type
Published: Mar 25, 2026  ·  Modified: Mar 28, 2026  ·  Source: NVD
CVSS v3
6.5
🔗 NVD Official
📄 Description (English)

n8n is an open source workflow automation platform. Prior to versions 1.123.22, 2.9.3, and 2.10.1, an authenticated user with permission to create or modify workflows could use the JavaScript Task Runner to allocate uninitialized memory buffers. Uninitialized buffers may contain residual data from the same Node.js process — including data from prior requests, tasks, secrets, or tokens — resulting in information disclosure of sensitive in-process data. Task Runners must be enabled using `N8N_RUNNERS_ENABLED=true`. In external runner mode, the impact is limited to data within the external runner process. The issue has been fixed in n8n versions 1.123.22, 2.10.1 , and 2.9.3. Users should upgrade to this version or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, and/or use external runner mode (`N8N_RUNNERS_MODE=external`) to isolate the runner process. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

🤖 AI Executive Summary

CVE-2026-27496 is a medium-severity information disclosure vulnerability in n8n workflow automation platform affecting versions prior to 1.123.22, 2.9.3, and 2.10.1. Authenticated users with workflow creation/modification permissions can exploit the JavaScript Task Runner to access uninitialized memory buffers containing sensitive data such as secrets, tokens, and prior request data. This vulnerability requires Task Runners to be explicitly enabled and poses significant risk to organizations using n8n for critical automation workflows.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 12, 2026 12:28
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using n8n for workflow automation face significant risk, particularly in: Banking sector (SAMA-regulated institutions) using n8n for payment processing and transaction automation; Government agencies (NCA oversight) automating administrative workflows; Healthcare organizations automating patient data workflows; Energy sector (ARAMCO and subsidiaries) using n8n for operational automation; Telecom providers (STC, Mobily) automating network and customer management workflows. The vulnerability's ability to leak secrets and tokens could compromise API credentials, database passwords, and authentication tokens used across integrated systems, potentially leading to lateral movement and unauthorized access to critical infrastructure.
🏢 Affected Saudi Sectors
Banking and Financial Services Government and Public Administration Healthcare and Medical Services Energy and Utilities Telecommunications Manufacturing Retail and E-commerce Insurance
⚖️ Saudi Risk Score (AI)
7.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:

1. Audit all n8n instances to identify if Task Runners are enabled (check N8N_RUNNERS_ENABLED configuration)

2. Review workflow creation and modification permissions to identify users with access

3. Conduct forensic analysis of workflow execution logs to identify potential data exposure

4. Rotate all secrets, API keys, and tokens that may have been exposed through n8n workflows



PATCHING GUIDANCE:

1. Upgrade n8n to version 1.123.22, 2.9.3, or 2.10.1 or later immediately

2. Test upgrades in non-production environments first

3. Verify Task Runner functionality post-upgrade



COMPENSATING CONTROLS (if immediate patching not possible):

1. Disable Task Runners by setting N8N_RUNNERS_ENABLED=false until patching is completed

2. Switch to external runner mode using N8N_RUNNERS_MODE=external to isolate runner process memory

3. Restrict workflow creation and modification permissions to only fully trusted administrators

4. Implement network segmentation to limit n8n instance access

5. Enable comprehensive audit logging for all workflow modifications



DETECTION RULES:

1. Monitor for uninitialized buffer access patterns in Node.js process memory

2. Alert on workflow modifications by non-administrative users

3. Track execution of JavaScript Task Runner with sensitive data patterns

4. Monitor for unusual memory allocation patterns in n8n processes

5. Log all API calls and data access within n8n workflows
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:

1. تدقيق جميع مثيلات n8n للتحقق من تفعيل Task Runners (تحقق من إعدادات N8N_RUNNERS_ENABLED)

2. مراجعة أذونات إنشاء وتعديل سير العمل لتحديد المستخدمين الذين لديهم حق الوصول

3. إجراء تحليل جنائي لسجلات تنفيذ سير العمل لتحديد تسرب البيانات المحتمل

4. تدوير جميع الأسرار ومفاتيح API والرموز التي قد تكون قد تعرضت من خلال سير عمل n8n



إرشادات التصحيح:

1. ترقية n8n إلى الإصدار 1.123.22 أو 2.9.3 أو 2.10.1 أو أحدث على الفور

2. اختبار الترقيات في بيئات غير الإنتاج أولاً

3. التحقق من وظيفة Task Runner بعد الترقية



الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):

1. تعطيل Task Runners بتعيين N8N_RUNNERS_ENABLED=false حتى اكتمال التصحيح

2. التبديل إلى وضع المشغل الخارجي باستخدام N8N_RUNNERS_MODE=external لعزل ذاكرة عملية المشغل

3. تقييد أذونات إنشاء وتعديل سير العمل لمسؤولي موثوقين فقط

4. تنفيذ تقسيم الشبكة لتحديد وصول مثيل n8n

5. تفعيل تسجيل التدقيق الشامل لجميع تعديلات سير العمل



قواعد الكشف:

1. مراقبة أنماط الوصول إلى المخزن المؤقت غير المهيأ في ذاكرة عملية Node.js

2. تنبيه عند تعديل سير العمل من قبل مستخدمين غير إداريين

3. تتبع تنفيذ JavaScript Task Runner مع أنماط البيانات الحساسة

4. مراقبة أنماط تخصيص الذاكرة غير العادية في عمليات n8n

5. تسجيل جميع استدعاءات API والوصول إلى البيانات داخل سير عمل n8n
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Access Control Policies ECC 2024 A.6.1.2 - User Registration and De-registration ECC 2024 A.8.2.1 - Classification of Information ECC 2024 A.8.2.3 - Handling of Assets ECC 2024 A.12.2.1 - Event Logging ECC 2024 A.12.4.1 - Recording User Activities
🔵 SAMA CSF
SAMA CSF ID.AM-1 - Asset Management SAMA CSF PR.AC-1 - Access Control SAMA CSF PR.DS-1 - Data Security SAMA CSF DE.AE-1 - Anomalies and Events Detection SAMA CSF DE.CM-1 - Detection Processes
🟡 ISO 27001:2022
ISO 27001:2022 A.5.1 - Policies for Information Security ISO 27001:2022 A.6.1 - Screening ISO 27001:2022 A.8.1 - Asset Inventory ISO 27001:2022 A.8.2 - Information Classification ISO 27001:2022 A.8.3 - Media Handling ISO 27001:2022 A.9.1 - Access Control ISO 27001:2022 A.12.4 - Logging
🟣 PCI DSS v4.0.1
PCI DSS 1.1 - Firewall Configuration Standards PCI DSS 2.1 - Default Passwords PCI DSS 3.2 - Secure Cryptographic Key Management PCI DSS 6.2 - Security Patches PCI DSS 8.1 - User Access Control PCI DSS 10.1 - Audit Trails
📦 Affected Products / CPE 3 entries
n8n:n8n
n8n:n8n
n8n:n8n:2.10.0
📊 CVSS Score
6.5
/ 10.0 — Medium
📊 CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack VectorN — None / Network
Attack ComplexityL — Low / Local
Privileges RequiredL — Low / Local
User InteractionN — None / Network
ScopeU — Unchanged
ConfidentialityH — High
IntegrityN — None / Network
AvailabilityN — None / Network
📋 Quick Facts
Severity Medium
CVSS Score6.5
CWECWE-908
Exploit No
Patch ✗ No
Published 2026-03-25
Source Feed nvd
Views 4
🇸🇦 Saudi Risk Score
7.2
/ 10.0 — Saudi Risk
Priority: HIGH
🏷️ Tags
CWE-908
🏢 Vendor Advisories
🔗 https://github.com/n8n-io/n8n/security/advisories/GH...
⚡ Actions
🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details
Share this CVE
LinkedIn X / Twitter WhatsApp Telegram

💬 Comments

0
Loading comments
📣 Found this valuable?
Share it with your cybersecurity network
in LinkedIn 𝕏 X / Twitter 💬 WhatsApp ✈ Telegram
🍪 Privacy Preferences
CISO Consulting — Compliant with Saudi Personal Data Protection Law (PDPL)
We use cookies and similar technologies to provide the best experience on our platform. You can choose which types you accept.
🔒
Essential Always On
Required for the website to function properly. Cannot be disabled.
📋 Sessions, CSRF tokens, authentication, language preferences
📊
Analytics
Help us understand how visitors use the site and improve performance.
📋 Page views, session duration, traffic sources, performance metrics
⚙️
Functional
Enable enhanced features like content personalization and preferences.
📋 Dark/light theme, font size, custom dashboards, saved filters
📣
Marketing
Used to deliver content and ads relevant to your interests.
📋 Campaign tracking, retargeting, social media analytics
Privacy Policy →
CISO AI Assistant
Ask anything · Documents · Support
🔐

Introduce Yourself

Enter your details to access the full assistant

Your info is private and never shared
💬
CyberAssist
Online · responds in seconds
5 / 5
🔐 Verify Your Identity

Enter your email to receive a verification code before submitting a support request.

Enter to send · / for commands 0 / 2000
CISO AI · Powered by Anthropic Claude
✦ Quick Survey Help Us Improve CISO Consulting Your feedback shapes the future of our platform — takes less than 2 minutes.
⚠ Please answer this question to continue

How would you rate your overall experience with our platform?

Rate from 1 (poor) to 5 (excellent)

🎉
Thank you!
Your response has been recorded.