CVE-2026-59253 in n8n
Summary
by MITRE • 07/08/2026
n8n before 2.28.0 contains an improper authorization vulnerability allowing authenticated users to assign workflows to folders in other projects. Attackers can bypass project and folder authorization boundaries by supplying crafted request payloads during workflow creation, causing logical integrity violations in target project folder structures.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/08/2026
The vulnerability in n8n versions prior to 2.28.0 represents a critical improper authorization flaw that undermines the platform's access control mechanisms. This weakness allows authenticated users to manipulate workflow assignments across project boundaries, effectively bypassing the intended security controls that separate user data and organizational structures. The issue stems from insufficient validation of folder ownership during workflow creation processes, where the system fails to properly verify whether the requesting user has legitimate authorization to assign workflows to specific folders within other projects.
The technical implementation of this vulnerability occurs when attackers craft malicious request payloads that include folder identifiers from different projects during workflow creation operations. This misconfiguration enables unauthorized access to project resources and allows manipulation of folder hierarchies across organizational boundaries. The flaw operates at the application logic level, where the authorization checks are either absent or inadequately implemented, creating a pathway for privilege escalation through legitimate system interfaces.
From an operational impact perspective, this vulnerability compromises the logical integrity of project folder structures and can lead to significant data exposure risks. Attackers can potentially access workflows belonging to other users or projects, manipulate folder hierarchies, and create unauthorized access paths within the n8n environment. The vulnerability affects the fundamental security model of the platform by allowing cross-project workflow assignment, which could result in information disclosure, unauthorized modifications, and potential disruption of legitimate business processes.
The vulnerability aligns with CWE-285, which addresses improper authorization issues in software systems, and maps to ATT&CK technique T1078 for valid accounts and privilege escalation. Organizations using affected versions of n8n face increased risk of insider threats and lateral movement within their automation environments. The security implications extend beyond immediate data access violations to include potential disruption of business continuity and compliance requirements.
Mitigation strategies should focus on implementing proper authorization checks during workflow creation and folder assignment operations. System administrators should immediately upgrade to n8n version 2.28.0 or later, which includes the necessary fixes for this authorization flaw. Additional protective measures include implementing network segmentation, monitoring workflow creation activities, and conducting regular access control reviews. Organizations should also consider implementing additional logging mechanisms to detect unauthorized folder assignment attempts and establish clear project boundary controls within their n8n deployments.