Authorization Vulnerability in n8n Product by n8n-io
CVE-2026-56775

5.3MEDIUM

Key Information:

Vendor

N8n

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-56775?

The n8n workflow automation tool features an authorization vulnerability in specific endpoints that manage test runs. This issue arises from the improper assignment of OAuth scopes, where the 'workflow:read' scope is incorrectly used for state-changing actions instead of the required 'workflow:execute' scope. As a result, an authenticated user with the 'project:viewer' role is able to initiate new test runs, cancel existing ones, and delete records for workflows beyond their read access, particularly when using Advanced Permissions in enterprise or cloud setups. This flaw poses a significant risk, allowing unauthorized actions within workflows.

Affected Version(s)

n8n 0 < 1.123.55

n8n 0 < 2.26.2

n8n 0 < 2.25.7

References

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

YLChen-007
.