CVE-2026-56775

CVE-2026-56775CVE-2026-56775

n8n / n8n

Description

n8n before 1.123.55, 2.25.7, and 2.26.2 contains an authorization vulnerability in three mutating evaluation test-run endpoints that authorize state-changing actions using the workflow:read scope instead of the action-appropriate workflow:execute scope. On instances using Advanced Permissions (Enterprise/Cloud) with projects and viewer roles, an authenticated user with the project:viewer role can start new evaluation test runs, cancel in-flight runs, and delete run records for workflows they only have read access to.

Scoring

CVSS 5.4 ()
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Last modified2026-07-08
Sourced from NVD. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.