PT-2026-53071 · Npm · N8N

Published

2026-06-17

·

Updated

2026-06-17

CVSS v3.1

5.4

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Impact

Three mutating endpoints in the evaluation test runs controller authorized state-changing actions using workflow:read instead of the action-appropriate workflow:execute scope. An authenticated user with project:viewer role on a project could start new evaluation test runs, cancel in-flight runs, and delete run records for workflows they only had read access to.
This issue only affects instances with Advanced Permissions (Enterprise/Cloud) where projects and viewer roles are in use.

Patches

The issue has been fixed in n8n versions 1.123.55, 2.25.7, and 2.26.2. Users should upgrade to one of these versions or later to remediate the vulnerability.

Workarounds

If upgrading is not immediately possible, administrators should consider the following temporary mitigations:
  • Restrict project membership to fully trusted users only.
  • Avoid granting viewer access to projects containing sensitive workflows.
These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

GHSA-664H-GPGQ-H6XX

Affected Products

N8N