<?xml version='1.0' encoding='UTF-8'?>
<?xml-stylesheet href="/static/style.xsl" type="text/xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
  <id>https://vulnerability.circl.lu/sightings/feed</id>
  <title>Most recent sightings.</title>
  <updated>2026-07-18T22:36:42.147352+00:00</updated>
  <author>
    <name>Vulnerability-Lookup</name>
    <email>info@circl.lu</email>
  </author>
  <link href="https://vulnerability.circl.lu" rel="alternate"/>
  <generator uri="https://lkiesow.github.io/python-feedgen" version="1.0.0">python-feedgen</generator>
  <subtitle>Contains only the most 10 recent sightings.</subtitle>
  <entry>
    <id>https://vulnerability.circl.lu/sighting/968a34d8-c5d6-4a11-91ab-92ff834a801c/export</id>
    <title>968a34d8-c5d6-4a11-91ab-92ff834a801c</title>
    <updated>2026-07-18T22:36:42.158060+00:00</updated>
    <author>
      <name>Automation user</name>
      <uri>https://vulnerability.circl.lu/user/automation</uri>
    </author>
    <content>{"uuid": "968a34d8-c5d6-4a11-91ab-92ff834a801c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-H3JJ-5F3V-3685", "type": "seen", "source": "https://gist.github.com/alon710/65e1d568e6055790b920bb58e503275b", "content": "# GHSA-H3JJ-5F3V-3685: GHSA-H3JJ-5F3V-3685: Public API Execution Retry Authorization Bypass in n8n\n\n&amp;gt; **CVSS Score:** 6.4\n&amp;gt; **Published:** 2026-06-16\n&amp;gt; **Full Report:** https://cvereports.com/reports/GHSA-H3JJ-5F3V-3685\n\n## Summary\nAn incorrect authorization vulnerability in the Public API of n8n allows authenticated users with read-only permissions to bypass access control boundaries. By invoking the execution retry endpoint, an unauthorized user can trigger workflow executions, effectively escalating their privileges from workflow:read to workflow:execute.\n\n## TL;DR\nA validation flaw in the n8n Public API allowed users with read-only workflow permissions to execute retries, triggering unauthorized workflow executions on the server.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-863\n- **Attack Vector**: Network\n- **CVSS v3.1 Score**: 6.4 (Medium)\n- **CVSS Vector**: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N\n- **Exploit Status**: poc\n- **Patched Versions**: 2.25.7, 2.26.2\n\n## Affected Systems\n\n- n8n (npm package)\n- n8n docker container image\n- **n8n**: &amp;lt; 2.25.7 (Fixed in: `2.25.7`)\n- **n8n**: &amp;gt;= 2.26.0, &amp;lt; 2.26.2 (Fixed in: `2.26.2`)\n\n## Mitigation\n\n- Upgrade the n8n container or package to a patched version immediately.\n- Restrict ingress traffic to `/v1/` API endpoints to trusted source IPs using a WAF or reverse proxy.\n- Implement the principle of least privilege by auditing and removing unused API keys.\n- Limit the cross-project sharing of critical workflows to reduce internal attack surface.\n\n**Remediation Steps:**\n1. Identify the current active version of n8n running in the environment.\n2. For Docker-based deployments, edit the docker-compose configuration to use image n8nio/n8n:2.26.2 or later.\n3. For npm-based deployments, execute npm install -g n8n@2.26.2 to apply the update.\n4. Restart the n8n container or process.\n5. Verify the update by attempting a retry request from an API key with read-only permissions and ensuring an HTTP 403 Forbidden is returned.\n\n## References\n\n- [GHSA-h3jj-5f3v-3685 Security Advisory on GitHub](https://github.com/n8n-io/n8n/security/advisories/GHSA-h3jj-5f3v-3685)\n- [GitHub Advisory Database Entry](https://github.com/advisories/GHSA-h3jj-5f3v-3685)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-H3JJ-5F3V-3685) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-17T06:41:15.000000Z"}</content>
    <link href="https://vulnerability.circl.lu/sighting/968a34d8-c5d6-4a11-91ab-92ff834a801c/export"/>
    <published>2026-06-17T06:41:15+00:00</published>
  </entry>
</feed>
