Incorrect Authorization Affecting n8n package, versions <2.25.7>=2.26.0 <2.26.2


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.17% (8th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Incorrect Authorization vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-N8N-17900547
  • published9 Jul 2026
  • disclosed8 Jul 2026
  • creditHO9

Introduced: 8 Jul 2026

NewCVE-2026-56778  (opens in a new tab)
CWE-863  (opens in a new tab)

How to fix?

Upgrade n8n to version 2.25.7, 2.26.2 or higher.

Overview

n8n is a n8n Workflow Automation Tool

Affected versions of this package are vulnerable to Incorrect Authorization in the Public API execution retry endpoint, which authorizes the request against the workflow:read permission instead of workflow:execute. A user with only workflow:read access to a shared workflow can run workflow retries they are not permitted to execute by calling the Public API retry endpoint. Exploitation requires the workflow to be shared with the user or across projects, and the retry runs the workflow, which can read data or change state within that workflow's scope.

CVSS Base Scores

version 4.0
version 3.1