PT-2026-56442 · N8N · N8N
34Selen
·
Published
2026-07-08
·
Updated
2026-07-08
·
CVE-2026-56776
CVSS v3.1
7.4
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
n8n versions prior to 1.123.55
n8n versions prior to 2.25.7
n8n versions prior to 2.26.2
Description
An authorization bypass exists in the Evaluations feature within the 'POST /workflows/{workflowId}/test-runs/new' endpoint. The system incorrectly authorizes access using the
workflow:read scope instead of the required workflow:execute scope. This broken access control allows an authenticated user with read-only RBAC (Role-Based Access Control) project roles to trigger a real evaluation test run. Such an action causes the workflow to execute via the internal workflow runner, potentially leading to unauthorized outbound API calls, data mutations, or other side effects in connected downstream systems.Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
N8N