PT-2026-56442 · N8N · N8N

34Selen

·

Published

2026-07-08

·

Updated

2026-07-08

·

CVE-2026-56776

CVSS v3.1

7.4

High

VectorAV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Name of the Vulnerable Software and Affected Versions n8n versions prior to 1.123.55 n8n versions prior to 2.25.7 n8n versions prior to 2.26.2
Description An authorization bypass exists in the Evaluations feature within the 'POST /workflows/{workflowId}/test-runs/new' endpoint. The system incorrectly authorizes access using the workflow:read scope instead of the required workflow:execute scope. This broken access control allows an authenticated user with read-only RBAC (Role-Based Access Control) project roles to trigger a real evaluation test run. Such an action causes the workflow to execute via the internal workflow runner, potentially leading to unauthorized outbound API calls, data mutations, or other side effects in connected downstream systems.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-56776

Affected Products

N8N