Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible API requiring authenticated read-only token (PR:L); scope change (S:C) as unauthorized executions affect downstream systems beyond n8n itself.
Primary rating from Vendor (vulncheck).
CVSS VectorVendor: vulncheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
n8n before 2.25.7 and 2.26.x before 2.26.2 contains an authorization bypass in the Public API execution retry endpoint, which authorizes access using the workflow:read scope instead of workflow:execute. An authenticated user with read-only access to a shared workflow can use the Public API to retry executions of that workflow, bypassing the intended permission boundary between read and execute access. This affects instances where workflows are shared with other users or across projects.
AnalysisAI
Authorization bypass in n8n's Public API execution retry endpoint allows authenticated read-only users to trigger workflow executions they should not be permitted to run. The endpoint incorrectly authorizes requests against the workflow:read scope rather than the required workflow:execute scope, collapsing the intended permission boundary between read and execute access. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three specific conditions: (1) the attacker must hold a valid authenticated session or API token with at least the workflow:read scope - unauthenticated access is not possible (CVSS PR:L); (2) the target workflow must be shared with the attacker's user account or project, as unshared workflows are not accessible to read-only users; and (3) at least one prior execution of the shared workflow must exist in the system so the retry endpoint has an execution ID to reference. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 5.3 (Medium) is reasonable given PR:L (authenticated access required), AV:N (network-accessible API), and low-level impacts (VC:L/VI:L/SC:L/SI:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated user holding a valid n8n API key scoped to workflow:read obtains read access to a shared workflow (e.g., granted by a project owner for auditing purposes). The attacker calls the Public API's execution retry endpoint referencing a prior execution ID of that workflow; n8n validates only the workflow:read scope and permits the request, triggering a new execution. … |
| Remediation | Upgrade n8n to version 2.25.7 (for 2.x deployments) or 2.26.2 (for 2.26.x deployments), which contain the vendor-released patch correcting the scope check on the execution retry endpoint. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
n8n workflow automation (through 1.121.2) allows authenticated users to execute arbitrary code via the n8n service, with
n8n workflow automation (1.65.0 to 1.121.0) allows unauthenticated file access through form-based workflows. A critical
n8n has a fifth critical RCE vulnerability (CVSS 9.9) in the Expression evaluator, enabling code execution through craft
An authenticated user with workflow creation or modification privileges in n8n workflow automation platform can exploit
Authenticated n8n users can hijack administrator accounts when LDAP authentication is enabled by manipulating their LDAP
The n8n package 0.218.0 for Node.js allows Escalation of Privileges. Rated high severity (CVSS 8.8), this vulnerability
Authenticated users can exploit string formatting and exception handling in n8n's Python task executor to escape sandbox
The n8n package 0.218.0 for Node.js allows Information Disclosure. Rated high severity (CVSS 7.5), this vulnerability is
The n8n package 0.218.0 for Node.js allows Directory Traversal. Rated medium severity (CVSS 6.5), this vulnerability is
n8n versions prior to 2.5.0 contain a critical SSH host key verification bypass in the Source Control feature that allow
This vulnerability in n8n (an open-source workflow automation platform) is an authentication bypass in the OAuth callbac
Additional expression evaluation exploits in n8n before 2.10.1/2.9.3/1.123.22. Fourth distinct code execution path throu
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42264
GHSA-g7vr-5v44-rqf5