CVE-2026-56776 in n8ninfo

Summary

by MITRE • 07/08/2026

n8n before 1.123.55, 2.25.7, and 2.26.2 contains an authorization bypass in the POST /workflows/{workflowId}/test-runs/new endpoint, which authorizes access using the workflow:read scope instead of workflow:execute. An authenticated user with read-only access to a workflow can trigger a real evaluation test run, causing the workflow to execute via the internal workflow runner and resulting in unintended outbound API calls, data mutations, or other side effects in connected downstream systems. The issue primarily affects instances using the Evaluations feature where RBAC project roles grant workflow:read without workflow:execute.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/08/2026

The vulnerability in n8n versions prior to 1.123.55, 2.25.7, and 2.26.2 represents a critical authorization bypass that undermines the principle of least privilege within the platform's access control mechanisms. This flaw exists specifically within the POST /workflows/{workflowId}/test-runs/new endpoint where the system incorrectly validates permissions using the workflow:read scope instead of the more privileged workflow:execute scope. The technical implementation fails to properly enforce authorization checks, creating a pathway for unauthorized execution of workflow logic that should require elevated privileges.

The operational impact of this vulnerability is significant as it allows authenticated users with only read-only access to workflows to inadvertently trigger actual workflow executions through test run functionality. When these users initiate test runs, the internal workflow runner executes the workflow logic which can result in unintended consequences including unauthorized outbound API calls, data mutations, and other side effects within connected downstream systems. This represents a direct violation of the security model where read-only users should not be able to trigger execution of potentially destructive operations.

The vulnerability aligns with CWE-285, which addresses improper authorization issues, and specifically demonstrates how insufficient access control validation can lead to privilege escalation scenarios. From an ATT&CK perspective, this maps to T1078 Valid Accounts and T1496 Resource Hijacking, as authenticated users can leverage their legitimate credentials to execute unintended operations. The flaw particularly affects environments using the Evaluations feature where role-based access control (RBAC) project roles are configured with workflow:read permissions but not workflow:execute permissions, creating a dangerous gap in the security model.

Organizations should immediately implement mitigations including updating to the patched versions of n8n, reviewing and strengthening RBAC configurations to ensure proper privilege separation, and implementing monitoring for unauthorized workflow executions. Additional protective measures include validating that test run functionality only operates with appropriate execute-level permissions and considering network segmentation to limit potential impact from unauthorized workflow execution. The vulnerability highlights the importance of comprehensive authorization testing and proper validation of access controls across all API endpoints, particularly those that trigger execution of business logic rather than simple data retrieval operations.

Responsible

VulnCheck

Reservation

06/23/2026

Disclosure

07/08/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!