{"uuid": "cf8f907c-488c-4342-a670-2f8b03e48f8a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-664H-GPGQ-H6XX", "type": "seen", "source": "https://gist.github.com/alon710/b786193466cf6568b5f90f26b1c3038d", "content": "# GHSA-664H-GPGQ-H6XX: GHSA-664h-gpgq-h6xx: Privilege Escalation via Broken Authorization in n8n Evaluation Test Runs Controller\n\n> **CVSS Score:** 5.4\n> **Published:** 2026-06-17\n> **Full Report:** https://cvereports.com/reports/GHSA-664H-GPGQ-H6XX\n\n## Summary\nAn incorrect authorization vulnerability exists in the open-source workflow automation platform n8n within the Evaluation Test Runs Controller. In deployments utilizing Advanced Permissions, an authenticated user assigned a low-privilege project:viewer role can bypass configured permission policies. This allows the unauthorized user to execute, terminate, or delete workflow evaluation test runs by exploiting misconfigured API scope validations that map read-only scopes to mutating endpoints.\n\n## TL;DR\nA scope misconfiguration in n8n's Evaluation Test Runs Controller allows authenticated, read-only 'viewer' accounts to trigger, cancel, and delete workflow test runs without proper authorization.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-863 (Incorrect Authorization)\n- **Attack Vector**: Network\n- **CVSS v3.1**: 5.4\n- **Exploit Status**: Proof of Concept / Technical details understood\n- **Required Privilege Level**: Low (project:viewer)\n- **Impact**: Integrity Loss, Denial of Service (Testing Pipelines)\n\n## Affected Systems\n\n- n8n Enterprise Edition with Advanced Permissions enabled\n- n8n Cloud Edition with Advanced Permissions enabled\n- **n8n**: < 1.123.55 (Fixed in: `1.123.55`)\n- **n8n**: >= 2.0.0 < 2.25.7 (Fixed in: `2.25.7`)\n- **n8n**: >= 2.26.0 < 2.26.2 (Fixed in: `2.26.2`)\n\n## Mitigation\n\n- Immediately update n8n to versions 1.123.55, 2.25.7, 2.26.2, or subsequent releases\n- Audit active Advanced Permissions allocations to ensure users are granted minimal necessary roles\n- Audit application server access logs for anomalous POST/DELETE actions targeting evaluation endpoints\n\n**Remediation Steps:**\n1. Identify the current deployment version and licensing model of the n8n instance.\n2. Schedule a maintenance window to perform database backups and stop n8n application processes.\n3. Pull and deploy the patched image or update the npm dependency version to a verified release (1.123.55, 2.25.7, or 2.26.2).\n4. Restart the application services and monitor system logs for normal initialization.\n5. Conduct validation testing with a low-privilege viewer credential to confirm that requests to start, cancel, or delete evaluation runs return a 403 Forbidden status code.\n\n## References\n\n- [n8n Security Advisory (GHSA-664h-gpgq-h6xx)](https://github.com/n8n-io/n8n/security/advisories/GHSA-664h-gpgq-h6xx)\n- [n8n Primary Source Repository](https://github.com/n8n-io/n8n)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-664H-GPGQ-H6XX) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-17T14:31:19.000000Z"}