Authorization Vulnerability in n8n Product by n8n-io
CVE-2026-56775
5.3MEDIUM
What is CVE-2026-56775?
The n8n workflow automation tool features an authorization vulnerability in specific endpoints that manage test runs. This issue arises from the improper assignment of OAuth scopes, where the 'workflow:read' scope is incorrectly used for state-changing actions instead of the required 'workflow:execute' scope. As a result, an authenticated user with the 'project:viewer' role is able to initiate new test runs, cancel existing ones, and delete records for workflows beyond their read access, particularly when using Advanced Permissions in enterprise or cloud setups. This flaw poses a significant risk, allowing unauthorized actions within workflows.
Affected Version(s)
n8n 0 < 1.123.55
n8n 0 < 2.26.2
n8n 0 < 2.25.7
