PT-2026-53071 · Npm · N8N
Published
2026-06-17
·
Updated
2026-06-17
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L |
Impact
Three mutating endpoints in the evaluation test runs controller authorized state-changing actions using
workflow:read instead of the action-appropriate workflow:execute scope. An authenticated user with project:viewer role on a project could start new evaluation test runs, cancel in-flight runs, and delete run records for workflows they only had read access to.This issue only affects instances with Advanced Permissions (Enterprise/Cloud) where projects and viewer roles are in use.
Patches
The issue has been fixed in n8n versions 1.123.55, 2.25.7, and 2.26.2. Users should upgrade to one of these versions or later to remediate the vulnerability.
Workarounds
If upgrading is not immediately possible, administrators should consider the following temporary mitigations:
- Restrict project membership to fully trusted users only.
- Avoid granting viewer access to projects containing sensitive workflows.
These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
N8N