Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible, authenticated (PR:L), no UI required; scope changes (S:C) because the attacker's actions corrupt another project's folder structure beyond their own security domain; integrity-only impact (I:L), no confidentiality or availability consequences.
Primary rating from Vendor (vulncheck).
CVSS VectorVendor: vulncheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
n8n before 2.28.0 contains an improper authorization vulnerability allowing authenticated users to assign workflows to folders in other projects. Attackers can bypass project and folder authorization boundaries by supplying crafted request payloads during workflow creation, causing logical integrity violations in target project folder structures.
AnalysisAI
Improper authorization in n8n before 2.28.0 enables authenticated users to assign workflows to folders belonging to foreign projects by supplying crafted payloads during workflow creation. The flaw (CWE-639) bypasses project and folder ownership checks entirely, allowing logical integrity violations across organizational boundaries in multi-project deployments. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid n8n user account with workflow creation privileges (PR:L per CVSS 4.0 vector) - unauthenticated access alone is not sufficient. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 5.3 (Medium) accurately reflects the constrained real-world impact: only integrity is affected (VI:L on the vulnerable system, SI:L on subsequent systems), with no confidentiality breach or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated low-privileged n8n user enumerates or guesses folder IDs belonging to a different project they should not have access to, then submits a crafted workflow creation API request embedding one of those foreign folder IDs in the payload. The server accepts the request without validating cross-project ownership, inserting the workflow into the target project's folder hierarchy. … |
| Remediation | Upgrade n8n to version 2.28.0 or later, which resolves the missing authorization check on folder assignment during workflow creation. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
n8n workflow automation (through 1.121.2) allows authenticated users to execute arbitrary code via the n8n service, with
n8n workflow automation (1.65.0 to 1.121.0) allows unauthenticated file access through form-based workflows. A critical
n8n has a fifth critical RCE vulnerability (CVSS 9.9) in the Expression evaluator, enabling code execution through craft
An authenticated user with workflow creation or modification privileges in n8n workflow automation platform can exploit
Authenticated n8n users can hijack administrator accounts when LDAP authentication is enabled by manipulating their LDAP
The n8n package 0.218.0 for Node.js allows Escalation of Privileges. Rated high severity (CVSS 8.8), this vulnerability
Authenticated users can exploit string formatting and exception handling in n8n's Python task executor to escape sandbox
The n8n package 0.218.0 for Node.js allows Information Disclosure. Rated high severity (CVSS 7.5), this vulnerability is
The n8n package 0.218.0 for Node.js allows Directory Traversal. Rated medium severity (CVSS 6.5), this vulnerability is
n8n versions prior to 2.5.0 contain a critical SSH host key verification bypass in the Source Control feature that allow
This vulnerability in n8n (an open-source workflow automation platform) is an authentication bypass in the OAuth callbac
Additional expression evaluation exploits in n8n before 2.10.1/2.9.3/1.123.22. Fourth distinct code execution path throu
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42268
GHSA-gqcv-rfj6-r29g