Skip to main content

n8n CVE-2026-56775

| EUVDEUVD-2026-42262 MEDIUM
Incorrect Authorization (CWE-863)
2026-07-08 disclosure@vulncheck.com GHSA-w79j-mf7m-gfpm
5.3
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.2 MEDIUM

PR:L for required viewer authentication; AC:H because exploitation is gated on Enterprise/Cloud Advanced Permissions with projects and viewer roles enabled.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (vulncheck).

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 08, 2026 - 15:12 vuln.today
Patch available
Jul 08, 2026 - 15:01 EUVD

DescriptionCVE.org

n8n before 1.123.55, 2.25.7, and 2.26.2 contains an authorization vulnerability in three mutating evaluation test-run endpoints that authorize state-changing actions using the workflow:read scope instead of the action-appropriate workflow:execute scope. On instances using Advanced Permissions (Enterprise/Cloud) with projects and viewer roles, an authenticated user with the project:viewer role can start new evaluation test runs, cancel in-flight runs, and delete run records for workflows they only have read access to.

AnalysisAI

Incorrect authorization in n8n's evaluation test-run API endpoints allows authenticated project viewers to perform state-changing operations reserved for users with execute permissions. On Enterprise and Cloud deployments running Advanced Permissions with projects and viewer roles configured, an authenticated project:viewer can start new evaluation test runs, cancel in-flight runs, and delete run records for workflows they have only read access to - bypassing the intended workflow:execute scope gate. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with project:viewer credentials
Delivery
Identify target workflow via read-access
Exploit
Craft POST/DELETE request to evaluation test-run endpoint
Execution
Server checks workflow:read scope (granted) instead of workflow:execute
Persist
Start, cancel, or delete test run without execute authorization
Impact
Disrupt workflow operations or destroy audit records

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following conditions simultaneously: (1) the target n8n instance must be running the Enterprise or Cloud tier with the Advanced Permissions feature enabled and projects configured - community self-hosted instances without this feature are not affected; (2) the attacker must hold a valid authenticated session with at least the project:viewer role assigned within a project containing the target workflow; (3) the target workflows must have evaluation test-run records or be in a state where test runs can be initiated. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L) positions this as a moderate-severity authenticated flaw with low impacts on integrity and availability and no confidentiality exposure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An internal user assigned the project:viewer role on a sensitive workflow in an n8n Enterprise instance authenticates normally and discovers that the evaluation test-run API endpoints accept their workflow:read-scoped session token for state-changing requests. The user sends a crafted POST request to start a new evaluation test run against a production workflow they have no execute authority over, causing unintended execution side effects, or sends a DELETE request to purge historical run records needed for compliance auditing - all without triggering any authorization error. …
Remediation The primary remediation is to upgrade n8n to a patched release: version 1.123.55 or later on the 1.x branch, version 2.25.7 or later on the 2.25.x branch, or version 2.26.2 or later on the 2.26.x branch. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in N8n

View all
CVE-2026-21877 CRITICAL POC
9.9 Jan 08

n8n workflow automation (through 1.121.2) allows authenticated users to execute arbitrary code via the n8n service, with

CVE-2026-21858 CRITICAL POC
10.0 Jan 08

n8n workflow automation (1.65.0 to 1.121.0) allows unauthenticated file access through form-based workflows. A critical

CVE-2026-1470 CRITICAL POC
9.9 Jan 27

n8n has a fifth critical RCE vulnerability (CVSS 9.9) in the Expression evaluator, enabling code execution through craft

CVE-2026-33660 CRITICAL POC
9.4 Mar 25

An authenticated user with workflow creation or modification privileges in n8n workflow automation platform can exploit

CVE-2026-33665 HIGH POC
8.8 Mar 25

Authenticated n8n users can hijack administrator accounts when LDAP authentication is enabled by manipulating their LDAP

CVE-2023-27563 HIGH POC
8.8 May 10

The n8n package 0.218.0 for Node.js allows Escalation of Privileges. Rated high severity (CVSS 8.8), this vulnerability

CVE-2026-0863 HIGH POC
8.5 Jan 18

Authenticated users can exploit string formatting and exception handling in n8n's Python task executor to escape sandbox

CVE-2023-27564 HIGH POC
7.5 May 10

The n8n package 0.218.0 for Node.js allows Information Disclosure. Rated high severity (CVSS 7.5), this vulnerability is

CVE-2023-27562 MEDIUM POC
6.5 May 10

The n8n package 0.218.0 for Node.js allows Directory Traversal. Rated medium severity (CVSS 6.5), this vulnerability is

CVE-2026-33724 MEDIUM POC
6.3 Mar 25

n8n versions prior to 2.5.0 contain a critical SSH host key verification bypass in the Source Control feature that allow

CVE-2026-33720 MEDIUM POC
6.3 Mar 25

This vulnerability in n8n (an open-source workflow automation platform) is an authentication bypass in the OAuth callbac

CVE-2026-27577 CRITICAL
9.9 Feb 25

Additional expression evaluation exploits in n8n before 2.10.1/2.9.3/1.123.22. Fourth distinct code execution path throu

Share

CVE-2026-56775 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy