Incorrect Authorization Affecting n8n package, versions <2.28.0


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.17% (7th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Incorrect Authorization vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-N8N-17900546
  • published9 Jul 2026
  • disclosed8 Jul 2026
  • creditHO9

Introduced: 8 Jul 2026

NewCVE-2026-59253  (opens in a new tab)
CWE-863  (opens in a new tab)

How to fix?

Upgrade n8n to version 2.28.0 or higher.

Overview

n8n is a n8n Workflow Automation Tool

Affected versions of this package are vulnerable to Incorrect Authorization in workflow creation folder assignment, which does not verify that the requested target folder belongs to a project the requester is allowed to access. A user with workflow creation permission in one project can associate a newly created workflow with a folder belonging to a different project they cannot access by submitting a crafted creation request. Exploitation requires multi-project and folder support to be enabled, and the impact is confined to a logical integrity violation of the target project's folder structure at the database level, since the workflow stays in the requester's project, remains invisible to the target project, and exposes no target project data.

CVSS Base Scores

version 4.0
version 3.1