GHSA-h3jj-5f3v-3685: n8n: Public API Execution Retry Authorization Bypass
Summary
n8n, a workflow automation tool, had a security flaw where the Public API (a way for external programs to interact with n8n) incorrectly allowed users with read-only permissions to retry workflow executions. This bypassed the intended access control that separates read access (viewing only) from execute access (running workflows), affecting shared workflows across users or projects.
Solution / Mitigation
The issue has been fixed in n8n versions 2.25.7 and 2.26.2. Users should upgrade to one of these versions or later. If upgrading is not immediately possible, administrators can temporarily restrict workflow sharing to fully trusted users only or restrict network access to the n8n Public API to trusted users only, though these workarounds do not fully remediate the risk.
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-h3jj-5f3v-3685
First tracked: June 16, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 75%