PT-2026-22030

Name of the Vulnerable Software and Affected Versions n8n versions prior to 2.10.1 n8n versions prior to 2.9.3 n8n versions prior to 1.123.22 Description n8n is an open source workflow automation platform. A flaw exists in the JavaScript Task Runner sandbox, potentially allowing an authenticated...

n8n Node.js Package >= 1.65.0 < 1.114.3 Unsafe Buffer Allocation Memory Disclosure (CVE-2025-61917)

The version of the n8n Node.js Package installed on the remote host is = 1.65.0 and prior to 1.114.3. It is, therefore, affected by an information disclosure vulnerability: - The use of Buffer.allocUnsafe and Buffer.allocUnsafeSlow in the task runner allows untrusted code to allocate uninitialize...

CVE-2025-61917

n8n is an open source workflow automation platform. From version 1.65.0 to before 1.114.3, the use of Buffer.allocUnsafe and Buffer.allocUnsafeSlow in the task runner allowed untrusted code to allocate uninitialized memory. Such uninitialized buffers could contain residual data from within the sa...

@n8n/backend-test-utils (=0.26.0), @n8n/db (=0.34.0) +2 more potentially affected by CVE-2026-25051 via n8n-core (=1.122.0)

n8n-core NPM version =1.122.0 is affected by a known vulnerability. The following packages have a transitive dependency on n8n-core and may be impacted: - @n8n/backend-test-utils =0.26.0 - @n8n/db =0.34.0 - @n8n/task-runner =1.59.0 - n8n-node-dev =1.121.0 Source cves: CVE-2026-25051 Source...

Use of Uninitialized Resource

Overview Affected versions of this package are vulnerable to Use of Uninitialized Resource via the Buffer.allocUnsafe and Buffer.allocUnsafeSlow functions in the task runner process. An attacker can access sensitive in-process memory contents by executing untrusted code that allocates uninitializ...

GHSA-49MX-FJ45-Q3P6 n8n's Unsafe Buffer Allocation Allows In-Process Memory Disclosure in Task Runner

Impact The use of Buffer.allocUnsafe and Buffer.allocUnsafeSlow in the task runner allowed untrusted code to allocate uninitialized memory. Such uninitialized buffers could contain residual data from within the same Node.js process for example, data from prior requests, tasks, secrets, or tokens,...

n8n's Unsafe Buffer Allocation Allows In-Process Memory Disclosure in Task Runner

Impact The use of Buffer.allocUnsafe and Buffer.allocUnsafeSlow in the task runner allowed untrusted code to allocate uninitialized memory. Such uninitialized buffers could contain residual data from within the same Node.js process for example, data from prior requests, tasks, secrets, or tokens,...

CVE-2025-61917

n8n is an open source workflow automation platform. From version 1.65.0 to before 1.114.3, the use of Buffer.allocUnsafe and Buffer.allocUnsafeSlow in the task runner allowed untrusted code to allocate uninitialized memory. Such uninitialized buffers could contain residual data from within the sa...

CVE-2025-61917 n8n Unsafe Buffer Allocation Allows In-Process Memory Disclosure in Task Runner

n8n is an open source workflow automation platform. From version 1.65.0 to before 1.114.3, the use of Buffer.allocUnsafe and Buffer.allocUnsafeSlow in the task runner allowed untrusted code to allocate uninitialized memory. Such uninitialized buffers could contain residual data from within the sa...

EUVD-2025-206795

n8n is an open source workflow automation platform. From version 1.65.0 to before 1.114.3, the use of Buffer.allocUnsafe and Buffer.allocUnsafeSlow in the task runner allowed untrusted code to allocate uninitialized memory. Such uninitialized buffers could contain residual data from within the sa...

CVE-2025-61917 n8n Unsafe Buffer Allocation Allows In-Process Memory Disclosure in Task Runner

n8n is an open source workflow automation platform. From version 1.65.0 to before 1.114.3, the use of Buffer.allocUnsafe and Buffer.allocUnsafeSlow in the task runner allowed untrusted code to allocate uninitialized memory. Such uninitialized buffers could contain residual data from within the sa...

CVE-2025-61917

CVE-2025-61917 affects the open‑source workflow tool n8n (versions 1.65.0 through before 1.114.3). The root cause is the use of Buffer.allocUnsafe() / Buffer.allocUnsafeSlow() inside the Task Runner, allowing untrusted code to allocate uninitialized memory that may contain residual data (prior re...

CVE-2025-61917 n8n Unsafe Buffer Allocation Allows In-Process Memory Disclosure in Task Runner

n8n is an open source workflow automation platform. From version 1.65.0 to before 1.114.3, the use of Buffer.allocUnsafe and Buffer.allocUnsafeSlow in the task runner allowed untrusted code to allocate uninitialized memory. Such uninitialized buffers could contain residual data from within the sa...

PT-2026-5931

Name of the Vulnerable Software and Affected Versions n8n versions 1.65.0 through 1.114.2 Description n8n is a workflow automation platform. The use of Buffer.allocUnsafe and Buffer.allocUnsafeSlow in the task runner allowed untrusted code to allocate uninitialized memory. This could result in...

CVE-2026-0863 Sandbox escape in n8n Python task runner allows for arbitrary code execution on the underlying host.

Using string formatting and exception handling, an attacker may bypass n8n's python-task-executor sandbox restrictions and run arbitrary unrestricted Python code in the underlying operating system. The vulnerability can be exploited via the Code block by an authenticated user with basic permissio...

@klardaten/n8n-nodes-datevconnect (>=1.0.1 <=1.0.2), @n8n/task-runner (>=1.37.0 <=1.57.1) +15 more potentially affected by CVE-2026-21877 via n8n-core (>=1.0.0 <=1.120.1)

n8n-core NPM version =1.0.0, =1.0.1, =1.37.0, =1.0.0, =0.1.0, =1.0.1, =0.3.3, =0.3.1, =1.1.0, =0.1.4, =0.4.10, =0.2.0, =0.2.0, =0.1.0, =0.1.1 and more Source cves: CVE-2026-21877 Source advisory: SNYK:JS-N8NCORE-14894271...

@n8n/task-runner (=1.58.0), n8n-node-dev (=1.120.0) potentially affected by CVE-2026-21877 via n8n-core (=1.121.0)

n8n-core NPM version =1.121.0 is affected by a known vulnerability. The following packages have a transitive dependency on n8n-core and may be impacted: - @n8n/task-runner =1.58.0 - n8n-node-dev =1.120.0 Source cves: CVE-2026-21877 Source advisory: SNYK:JS-N8NCORE-14894271...

n8n Vulnerable to Arbitrary Command Execution in Pyodide based Python Code Node

Impact A sandbox bypass vulnerability exists in the Python Code Node that uses Pyodide. An authenticated user with permission to create or modify workflows can exploit this vulnerability to execute arbitrary commands on the host system running n8n, using the same privileges as the n8n process...

Cross-site Request Forgery

Jenkins Nexus Task Runner Plugin is vulnerable to a Cross-Site Request Forgery CSRF. The vulnerability is due to missing CSRF protection on sensitive plugin endpoints, where crafted requests can trigger actions without user interaction, allowing attackers to force an authenticated Jenkins user to...

Authorization Bypass

Jenkins Nexus Task Runner Plugin is vulnerable to an Authorization Bypass. The vulnerability is due to a missing permission check, allowing attackers with only Overall/Read permission to force the plugin to connect to an attacker-controlled URL using attacker-supplied credentials, potentially...