Home

Description

n8n before 2.28.0 contains an improper authorization vulnerability allowing authenticated users to assign workflows to folders in other projects. Attackers can bypass project and folder authorization boundaries by supplying crafted request payloads during workflow creation, causing logical integrity violations in target project folder structures.

PUBLISHED Reserved 2026-07-04 | Published 2026-07-08 | Updated 2026-07-08 | Assigner VulnCheck




MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

Problem types

Authorization Bypass Through User-Controlled Key

Product status

Default status
unaffected

Any version before 2.28.0
affected

2.28.0 (semver)
unaffected

Credits

HO-9 reporter

References

github.com/...io/n8n/security/advisories/GHSA-2xgm-wc4g-5jvg (GitHub Security Advisory (GHSA-2xgm-wc4g-5jvg)) vendor-advisory

www.vulncheck.com/...ation-in-workflow-assignment-to-folders (VulnCheck Advisory: n8n - Improper Authorization in Workflow Assignment to Folders) third-party-advisory

cve.org (CVE-2026-59253)

nvd.nist.gov (CVE-2026-59253)

Download JSON