GHSA-H3JJ-5F3V-3685: Public API Execution Retry Authorization Bypass in n8n
Vulnerability ID: GHSA-H3JJ-5F3V-3685
CVSS Score: 6.4
Published: 2026-06-16
An incorrect authorization vulnerability in the Public API of n8n allows authenticated users with read-only permissions to bypass access control boundaries. By invoking the execution retry endpoint, an unauthorized user can trigger workflow executions, effectively escalating their privileges from workflow:read to workflow:execute.
TL;DR
A validation flaw in the n8n Public API allowed users with read-only workflow permissions to execute retries, triggering unauthorized workflow executions on the server.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-863
- Attack Vector: Network
- CVSS v3.1 Score: 6.4 (Medium)
- CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- Exploit Status: poc
- Patched Versions: 2.25.7, 2.26.2
Affected Systems
- n8n (npm package)
- n8n docker container image
-
n8n: < 2.25.7 (Fixed in:
2.25.7) -
n8n: >= 2.26.0, < 2.26.2 (Fixed in:
2.26.2)
Mitigation Strategies
- Upgrade the n8n container or package to a patched version immediately.
- Restrict ingress traffic to
/v1/API endpoints to trusted source IPs using a WAF or reverse proxy. - Implement the principle of least privilege by auditing and removing unused API keys.
- Limit the cross-project sharing of critical workflows to reduce internal attack surface.
Remediation Steps:
- Identify the current active version of n8n running in the environment.
- For Docker-based deployments, edit the docker-compose configuration to use image n8nio/n8n:2.26.2 or later.
- For npm-based deployments, execute npm install -g n8n@2.26.2 to apply the update.
- Restart the n8n container or process.
- Verify the update by attempting a retry request from an API key with read-only permissions and ensuring an HTTP 403 Forbidden is returned.
References
Read the full report for GHSA-H3JJ-5F3V-3685 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)