{"vulnerability": "ghsa-h3jj-5f3v-3685", "sightings": [{"uuid": "968a34d8-c5d6-4a11-91ab-92ff834a801c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-H3JJ-5F3V-3685", "type": "seen", "source": "https://gist.github.com/alon710/65e1d568e6055790b920bb58e503275b", "content": "# GHSA-H3JJ-5F3V-3685: GHSA-H3JJ-5F3V-3685: Public API Execution Retry Authorization Bypass in n8n\n\n&gt; **CVSS Score:** 6.4\n&gt; **Published:** 2026-06-16\n&gt; **Full Report:** https://cvereports.com/reports/GHSA-H3JJ-5F3V-3685\n\n## Summary\nAn incorrect authorization vulnerability in the Public API of n8n allows authenticated users with read-only permissions to bypass access control boundaries. By invoking the execution retry endpoint, an unauthorized user can trigger workflow executions, effectively escalating their privileges from workflow:read to workflow:execute.\n\n## TL;DR\nA validation flaw in the n8n Public API allowed users with read-only workflow permissions to execute retries, triggering unauthorized workflow executions on the server.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-863\n- **Attack Vector**: Network\n- **CVSS v3.1 Score**: 6.4 (Medium)\n- **CVSS Vector**: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N\n- **Exploit Status**: poc\n- **Patched Versions**: 2.25.7, 2.26.2\n\n## Affected Systems\n\n- n8n (npm package)\n- n8n docker container image\n- **n8n**: &lt; 2.25.7 (Fixed in: `2.25.7`)\n- **n8n**: &gt;= 2.26.0, &lt; 2.26.2 (Fixed in: `2.26.2`)\n\n## Mitigation\n\n- Upgrade the n8n container or package to a patched version immediately.\n- Restrict ingress traffic to `/v1/` API endpoints to trusted source IPs using a WAF or reverse proxy.\n- Implement the principle of least privilege by auditing and removing unused API keys.\n- Limit the cross-project sharing of critical workflows to reduce internal attack surface.\n\n**Remediation Steps:**\n1. Identify the current active version of n8n running in the environment.\n2. For Docker-based deployments, edit the docker-compose configuration to use image n8nio/n8n:2.26.2 or later.\n3. For npm-based deployments, execute npm install -g n8n@2.26.2 to apply the update.\n4. Restart the n8n container or process.\n5. Verify the update by attempting a retry request from an API key with read-only permissions and ensuring an HTTP 403 Forbidden is returned.\n\n## References\n\n- [GHSA-h3jj-5f3v-3685 Security Advisory on GitHub](https://github.com/n8n-io/n8n/security/advisories/GHSA-h3jj-5f3v-3685)\n- [GitHub Advisory Database Entry](https://github.com/advisories/GHSA-h3jj-5f3v-3685)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-H3JJ-5F3V-3685) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-17T06:41:15.000000Z"}]}