CVE-2026-56776
Undergoing Analysis Undergoing Analysis - In Progress

Authorization Bypass in n8n Workflow Test Execution

Vulnerability report for CVE-2026-56776, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: VulnCheck

Description

n8n before 1.123.55, 2.25.7, and 2.26.2 contains an authorization bypass in the POST /workflows/{workflowId}/test-runs/new endpoint, which authorizes access using the workflow:read scope instead of workflow:execute. An authenticated user with read-only access to a workflow can trigger a real evaluation test run, causing the workflow to execute via the internal workflow runner and resulting in unintended outbound API calls, data mutations, or other side effects in connected downstream systems. The issue primarily affects instances using the Evaluations feature where RBAC project roles grant workflow:read without workflow:execute.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 6 associated CPEs
Vendor Product Version / Range
n8n n8n 1.123.55
n8n n8n 2.25.7
n8n n8n 2.26.2
n8n n8n to 1.123.55 (exc)
n8n n8n to 2.25.7 (exc)
n8n n8n to 2.26.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows an authenticated user with read-only access to trigger workflow executions, potentially causing unintended outbound API calls, data mutations, or other side effects in connected downstream systems.

Such unauthorized execution and data manipulation could lead to unauthorized data access or modification, which may impact compliance with data protection regulations like GDPR or HIPAA that require strict access controls and data integrity.

Organizations using affected versions of n8n should consider this risk in their compliance assessments and apply patches or mitigations to prevent unauthorized workflow executions that could compromise sensitive data or system integrity.

Executive Summary

This vulnerability exists in n8n versions before 1.123.55, 2.25.7, and 2.26.2 and involves an authorization bypass in the POST /workflows/{workflowId}/test-runs/new endpoint.

The endpoint incorrectly authorizes access using the workflow:read scope instead of the required workflow:execute scope.

As a result, an authenticated user who only has read-only access to a workflow can trigger a real evaluation test run, causing the workflow to execute through the internal workflow runner.

This can lead to unintended outbound API calls, data mutations, or other side effects in connected downstream systems.

The issue mainly affects instances using the Evaluations feature where RBAC project roles grant workflow:read permissions without workflow:execute permissions.

Impact Analysis

If you are using affected versions of n8n and have workflows with read-only access granted, an attacker or unauthorized user with read access could trigger workflow executions.

This can cause unintended actions such as outbound API calls, changes to data, or other side effects in systems connected to the workflow.

Such unintended executions could disrupt business processes, cause data integrity issues, or lead to unauthorized interactions with external systems.

Detection Guidance

This vulnerability involves an authorization bypass in the POST /workflows/{workflowId}/test-runs/new endpoint where workflow:read scope is incorrectly used instead of workflow:execute. Detection involves identifying if authenticated users with only workflow:read permissions are able to trigger test runs that execute workflows.

To detect this on your system, you can monitor logs for POST requests to the /workflows/{workflowId}/test-runs/new endpoint made by users who only have workflow:read permissions. Look for unexpected workflow executions triggered by read-only users.

Suggested commands include searching your application or API logs for such POST requests. For example, using grep on log files:

  • grep -i 'POST /workflows/' /path/to/n8n/logs | grep 'test-runs/new'
  • Audit user roles and permissions to identify users with workflow:read but not workflow:execute permissions.

Additionally, you can use API calls or scripts to verify if users with read-only access can trigger test runs, which should not be allowed.

Mitigation Strategies

The primary mitigation is to upgrade n8n to a patched version: 1.123.55, 2.25.7, 2.26.2 or later, where this authorization bypass has been fixed.

Until you can upgrade, you should restrict workflow access to trusted users only and audit project role assignments to limit workflow:read permissions on sensitive workflows, ensuring users with read-only access cannot trigger test runs.

Review and adjust RBAC project roles to ensure that workflow:execute permission is required to trigger test runs, and remove unnecessary workflow:read permissions where possible.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56776. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart