PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-56778 n8n CVE debrief

CVE-2026-56778 is an authorization bypass vulnerability in the n8n workflow automation tool. The vulnerability affects n8n versions before 2.25.7 and 2.26.x before 2.26.2. An authenticated user with read-only access to a shared workflow can use the Public API to retry executions of that workflow, bypassing the intended permission boundary between read and execute access. This vulnerability allows for unauthorized execution of workflows by users with read-only access, potentially leading to unintended changes in the workflow executions.

Vendor
n8n
Product
Unknown
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-08
Original CVE updated
2026-07-08
Advisory published
2026-07-08
Advisory updated
2026-07-08

Who should care

Users of n8n workflow automation tool, especially those who have shared workflows with other users or across projects, should be aware of this vulnerability. This vulnerability allows an authenticated user with read-only access to a shared workflow to retry executions of that workflow using the Public API, potentially bypassing intended permission boundaries. Therefore, it is crucial for administrators and users of n8n to assess their exposure and take necessary actions to mitigate this vulnerability.

Technical summary

The vulnerability is caused by the Public API execution retry endpoint authorizing access using the workflow:read scope instead of workflow:execute. This allows an authenticated user with read-only access to a shared workflow to retry executions of that workflow, effectively bypassing the intended permission boundary between read and execute access. The affected versions of n8n are before 2.25.7 and 2.26.x before 2.26.2.

Defensive priority

Medium priority should be given to patching this vulnerability, as it allows for unauthorized execution of workflows by users with read-only access. However, the actual priority may vary depending on the specific use case and exposure of the affected systems.

Recommended defensive actions

  • Patch n8n to version 2.25.7 or later, or 2.26.2 or later.
  • Review and restrict access to the Public API execution retry endpoint.
  • Monitor for suspicious activity related to workflow executions.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.

Evidence notes

The CVE record was published on 2026-07-08T14:17:17.683Z and has not been modified since then. The NVD entry is currently Analyzed. This information is based on the CVE record and NVD entry. However, the details about the vulnerability, such as its impact and affected versions, should be verified with the vendor or through additional sources for comprehensive understanding.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T14:17:17.683Z and has not been modified since then. The NVD entry is currently Analyzed.