GHSA-664h-gpgq-h6xx: n8n: Wrong OAuth Scope on Evaluation Test Runs Endpoints
Summary
n8n had a security flaw where three endpoints that change data in workflow test runs used the wrong permission scope (workflow:read instead of workflow:execute), allowing users with read-only access to start, cancel, and delete test runs they shouldn't be able to modify. This only affected enterprise versions with Advanced Permissions enabled.
Solution / Mitigation
Upgrade to n8n version 1.123.55, 2.25.7, or 2.26.2 or later. As temporary workarounds if upgrading immediately is not possible: restrict project membership to fully trusted users only, or avoid granting viewer access to projects containing sensitive workflows (though these do not fully remediate the risk).
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
Original source: https://github.com/advisories/GHSA-664h-gpgq-h6xx
First tracked: June 17, 2026 at 02:01 PM
Classified by LLM (prompt v3) · confidence: 75%