CVE-2026-56778

n8n before 2.25.7 and 2.26.x before 2.26.2 contains an authorization bypass in the Public API execution retry endpoint, which authorizes access using the workflow:read scope instead of workflow:execute. An authenticated user with read-only access to a shared workflow can use the Public API to retry executions of that workflow, bypassing the intended permission boundary between read and execute access. This affects instances where workflows are shared with other users or across projects.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*
cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*

History

08 Jul 2026, 19:26

Type Values Removed Values Added
CPE cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*
References () https://github.com/n8n-io/n8n/security/advisories/GHSA-h3jj-5f3v-3685 - () https://github.com/n8n-io/n8n/security/advisories/GHSA-h3jj-5f3v-3685 - Mitigation, Vendor Advisory
References () https://www.vulncheck.com/advisories/n8n-authorization-bypass-in-public-api-execution-retry-endpoint - () https://www.vulncheck.com/advisories/n8n-authorization-bypass-in-public-api-execution-retry-endpoint - Third Party Advisory
First Time N8n
N8n n8n

08 Jul 2026, 14:17

Type Values Removed Values Added
New CVE

Information

Published : 2026-07-08 14:17

Updated : 2026-07-08 19:26


NVD link : CVE-2026-56778

Mitre link : CVE-2026-56778

CVE.ORG link : CVE-2026-56778


JSON object : View

Products Affected

n8n

  • n8n
CWE
CWE-863

Incorrect Authorization