AI Threat Alert

GHSA-664h-gpgq-h6xx: n8n: viewer role can start/cancel/delete eval workflow runs

GHSA-664h-gpgq-h6xx MEDIUM
Published June 17, 2026
CISO Take

An authorization scope misconfiguration in n8n's evaluation test runs controller allows any authenticated project viewer to perform write operations — starting, canceling, and deleting evaluation runs — on workflows they should only be able to read. This exclusively affects Enterprise and Cloud deployments with Advanced Permissions enabled, limiting blast radius to organizations using n8n's multi-user project model for AI agent orchestration. With CVSS 5.4, no public exploit, and no CISA KEV listing, the most plausible threat is insider abuse or a compromised low-privilege account disrupting AI evaluation pipelines rather than external attack. Upgrade to n8n 1.123.55, 2.25.7, or 2.26.2; if patching is delayed, restrict project membership to fully trusted users only and audit all existing viewer-level grants on sensitive workflow projects.

Sources: GitHub Advisory ATLAS OpenSSF

What is the risk?

Medium risk, scoped to authenticated Enterprise or Cloud n8n instances with Advanced Permissions active. External exposure is minimal since exploitation requires a valid project:viewer session. The realistic threat is insider abuse or credential-compromise of a low-privilege account. No confidentiality impact; low integrity and availability impact per CVSS. However, for teams using n8n evaluation runs as AI quality gates or compliance evidence, tampering with run history carries disproportionate operational risk beyond the numeric score. OpenSSF Scorecard of 6.5/10 and 106 prior CVEs in the same package suggest the n8n codebase warrants ongoing security scrutiny.

How does the attack unfold?

Initial Access
Attacker obtains a valid project:viewer session on an n8n Enterprise/Cloud instance via credential theft, social engineering, or insider access.
AML.T0012
Authorization Bypass
Attacker calls the evaluation test run controller endpoints, which incorrectly authorize mutating actions by checking workflow:read scope — already held by the viewer — instead of the required workflow:execute scope.
AML.T0049
Impact
Attacker starts spurious evaluation runs to drain compute budgets, cancels legitimate in-flight runs to disrupt AI quality gates, or deletes historical run records to corrupt benchmarking data and audit trails.
AML.T0034

What systems are affected?

Package Ecosystem Vulnerable Range Patched
n8n npm < 1.123.55 1.123.55
192.4K OpenSSF 6.5 Pushed 3d ago 55% patched ~2d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1
5.4 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C None
I Low
A Low

What should I do?

5 steps

  1. Patch: upgrade to n8n 1.123.55, 2.25.7, or 2.26.2 immediately.

  2. Short-term workaround: audit and tighten project membership — remove viewer access from untrusted or non-essential users on projects hosting sensitive AI workflows.

  3. Do not grant viewer role on projects where evaluation runs function as compliance evidence or model quality gates until patched.

  4. Review audit logs for anomalous evaluation test run activity: unexpected initiations, early cancellations, or deletions as indicators of exploitation.

  5. Verify the three affected endpoints are covered by post-patch authorization logic via integration testing before re-granting viewer access.

How is it classified?

Auth Bypass DoS Agent Framework AML.T0012 AML.T0034 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 9 - Risk management system
ISO 42001
A.6.2 - AI system roles and responsibilities
NIST AI RMF
GOVERN 1.1 - Organizational policies for AI risk mapping, measuring, and managing
OWASP LLM Top 10
LLM06 - Excessive Agency

Frequently Asked Questions

What is GHSA-664h-gpgq-h6xx?

An authorization scope misconfiguration in n8n's evaluation test runs controller allows any authenticated project viewer to perform write operations — starting, canceling, and deleting evaluation runs — on workflows they should only be able to read. This exclusively affects Enterprise and Cloud deployments with Advanced Permissions enabled, limiting blast radius to organizations using n8n's multi-user project model for AI agent orchestration. With CVSS 5.4, no public exploit, and no CISA KEV listing, the most plausible threat is insider abuse or a compromised low-privilege account disrupting AI evaluation pipelines rather than external attack. Upgrade to n8n 1.123.55, 2.25.7, or 2.26.2; if patching is delayed, restrict project membership to fully trusted users only and audit all existing viewer-level grants on sensitive workflow projects.

Is GHSA-664h-gpgq-h6xx actively exploited?

No confirmed active exploitation of GHSA-664h-gpgq-h6xx has been reported, but organizations should still patch proactively.

How to fix GHSA-664h-gpgq-h6xx?

1. Patch: upgrade to n8n 1.123.55, 2.25.7, or 2.26.2 immediately. 2. Short-term workaround: audit and tighten project membership — remove viewer access from untrusted or non-essential users on projects hosting sensitive AI workflows. 3. Do not grant viewer role on projects where evaluation runs function as compliance evidence or model quality gates until patched. 4. Review audit logs for anomalous evaluation test run activity: unexpected initiations, early cancellations, or deletions as indicators of exploitation. 5. Verify the three affected endpoints are covered by post-patch authorization logic via integration testing before re-granting viewer access.

What systems are affected by GHSA-664h-gpgq-h6xx?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI workflow automation, model evaluation pipelines.

What is the CVSS score for GHSA-664h-gpgq-h6xx?

GHSA-664h-gpgq-h6xx has a CVSS v3.1 base score of 5.4 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

agent frameworksAI workflow automationmodel evaluation pipelines

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0034 Cost Harvesting
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 9
ISO 42001: A.6.2
NIST AI RMF: GOVERN 1.1
OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

## Impact Three mutating endpoints in the evaluation test runs controller authorized state-changing actions using `workflow:read` instead of the action-appropriate `workflow:execute` scope. An authenticated user with `project:viewer` role on a project could start new evaluation test runs, cancel in-flight runs, and delete run records for workflows they only had read access to. This issue only affects instances with Advanced Permissions (Enterprise/Cloud) where projects and viewer roles are in use. ## Patches The issue has been fixed in n8n versions 1.123.55, 2.25.7, and 2.26.2. Users should upgrade to one of these versions or later to remediate the vulnerability. ## Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Restrict project membership to fully trusted users only. - Avoid granting viewer access to projects containing sensitive workflows. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Exploitation Scenario

An attacker with a compromised or intentionally provisioned project:viewer account on an n8n Enterprise/Cloud instance identifies workflows used in AI evaluation pipelines. Using standard API calls with a valid session token — no exploit code required — they invoke the misconfigured evaluation test run controller endpoints, which incorrectly gate write actions on the workflow:read scope the viewer already holds. The attacker starts spurious evaluation runs to drain compute budget, cancels legitimate in-flight evaluations to sabotage model quality assurance cycles, or deletes historical run records to corrupt benchmarking baselines and cover their tracks. In AI development contexts, this disruption may delay releases or invalidate compliance evidence without triggering obvious alarms.

Weaknesses (CWE)

CWE-863 Incorrect Authorization Primary

CWE-863 — Incorrect Authorization: The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

  • [Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
  • [Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

References

Timeline

Published
June 17, 2026
Last Modified
June 17, 2026
First Seen
June 17, 2026

Related Vulnerabilities

CRITICAL CVE-2026-33663 10.0

n8n: member role steals plaintext HTTP credentials

Same package: n8n
CRITICAL CVE-2026-54309 10.0

n8n: MCP browser auth bypass allows full browser takeover

Same package: n8n
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same package: n8n
CRITICAL CVE-2026-33660 10.0

TensorFlow: type confusion NPD in tensor conversion

Same package: n8n
CRITICAL CVE-2025-68668 9.9

n8n: Protection Bypass circumvents security controls

Same package: n8n
Back to Threat Feed