CVE-2026-56776
NixOS 취약성 분석 및 완화

개요

CVE-2026-56776 is an authorization bypass vulnerability in n8n, the open-source workflow automation platform, affecting the POST /workflows/{workflowId}/test-runs/new endpoint. The endpoint incorrectly authorizes access using the workflow:read scope instead of the required workflow:execute scope, allowing authenticated users with read-only permissions to trigger real workflow execution. Affected versions include n8n before 1.123.55, before 2.25.7, and before 2.26.2 (for the 2.26.x branch). It was published on July 8, 2026, with a CVSS v3.1 score of 7.4 (High) and a CVSS v4.0 score of 5.3 (Medium) (GitHub Advisory, Github Advisory).

기술적 세부 사항

The root cause is classified as CWE-863 (Incorrect Authorization) — the POST /workflows/{workflowId}/test-runs/new endpoint performs an authorization check but validates against the workflow:read OAuth scope rather than the correct workflow:execute scope (GitHub Advisory). An attacker exploits this by sending a POST request to the test-runs endpoint while authenticated with only read-only credentials, causing the internal workflow runner to execute the workflow as if fully authorized. The precondition for exploitation requires: (1) an authenticated account with workflow:read access, (2) the Evaluations feature to be enabled, and (3) an RBAC configuration where workflow:read is granted without workflow:execute (Github Advisory). No public proof-of-concept code has been identified at this time.

영향

Successful exploitation allows a read-only user to trigger full workflow execution, resulting in unintended outbound API calls, data mutations, or other side effects in downstream systems connected to the workflow (GitHub Advisory). The scope of impact extends beyond the n8n instance itself to any third-party services, databases, or APIs integrated into the affected workflows, creating risks of unauthorized data modification and unintended business process execution. Confidentiality, integrity, and availability of both the vulnerable system and subsequent connected systems are assessed as low-impact individually, but the chained effect across integrated downstream systems can be significant in production environments with sensitive workflows.

착취 단계

  1. Reconnaissance: Identify an n8n instance running a vulnerable version (before 1.123.55, 2.25.7, or 2.26.2) with the Evaluations feature enabled and RBAC project roles configured.
  2. Obtain read-only credentials: Acquire or use an existing authenticated account that has been granted workflow:read access (but not workflow:execute) on a target workflow — for example, a project member with a viewer role.
  3. Identify target workflow ID: Use the n8n API or UI (accessible with read permissions) to enumerate available workflows and obtain the workflowId of a workflow with sensitive integrations or side effects.
  4. Send malicious POST request: Issue a POST /workflows/{workflowId}/test-runs/new HTTP request using the read-only account's authentication token. The endpoint will incorrectly accept the workflow:read scope and authorize the request.
  5. Trigger workflow execution: The internal workflow runner executes the workflow in full, causing any configured actions — such as outbound API calls, database writes, or messaging — to fire against connected downstream systems (GitHub Advisory).

타협의 징후

  • Network: Unexpected outbound API calls or webhook triggers originating from the n8n server that correlate with workflow execution but were not initiated by authorized users or scheduled triggers.
  • Logs: n8n application logs showing POST /workflows/{workflowId}/test-runs/new requests from accounts with read-only RBAC roles; workflow execution records attributed to users who should not have execute permissions.
  • Application: Workflow execution history entries (visible in the n8n UI under Executions) showing test-run executions triggered by users with viewer/read-only project roles, especially outside normal business hours or in high frequency.

완화 및 해결 방법

Users should upgrade n8n to version 1.123.55, 2.25.7, or 2.26.2 (or later), which fix the incorrect scope check on the test-runs endpoint (GitHub Advisory). If immediate upgrade is not possible, administrators should restrict workflow access to fully trusted users only and audit RBAC project role assignments to ensure workflow:read is not granted to users who should not be permitted to execute workflows. These workarounds do not fully remediate the risk and should be treated as short-term measures only.

커뮤니티 반응

The vulnerability was reported by researcher '34selen' and published by n8n maintainer 'Jubke' via GitHub Security Advisories on June 10, 2026, with the CVE assigned on July 8, 2026 (GitHub Advisory). No significant broader media coverage or notable community commentary beyond the official advisory has been identified at this time.

추가 자료


근원이 보고서는 AI를 사용하여 생성되었습니다.

관련 NixOS 취약점:

CVE ID

심각도

점수

기술

구성 요소 이름

CISA KEV 익스플로잇

수정 사항이 있습니다.

게시된 날짜

CVE-2026-59257MEDIUM5.3
  • NixOS logoNixOS
  • n8n
아니요Jul 08, 2026
CVE-2026-59253MEDIUM5.3
  • NixOS logoNixOS
  • n8n
아니요Jul 08, 2026
CVE-2026-56778MEDIUM5.3
  • NixOS logoNixOS
  • n8n
아니요Jul 08, 2026
CVE-2026-56776MEDIUM5.3
  • NixOS logoNixOS
  • n8n
아니요Jul 08, 2026
CVE-2026-56775MEDIUM5.3
  • NixOS logoNixOS
  • n8n
아니요Jul 08, 2026

무료 취약성 평가

클라우드 보안 태세를 벤치마킹합니다

9개의 보안 도메인에서 클라우드 보안 관행을 평가하여 위험 수준을 벤치마킹하고 방어의 허점을 식별합니다.

평가 요청

추가 Wiz 리소스

맞춤형 데모 받기

맞춤형 데모 신청하기

"내가 본 최고의 사용자 경험은 클라우드 워크로드에 대한 완전한 가시성을 제공합니다."
데이비드 에슬릭최고정보책임자(CISO)
"Wiz는 클라우드 환경에서 무슨 일이 일어나고 있는지 볼 수 있는 단일 창을 제공합니다."
아담 플레처최고 보안 책임자(CSO)
"우리는 Wiz가 무언가를 중요한 것으로 식별하면 실제로 중요하다는 것을 알고 있습니다."
그렉 포니아토프스키위협 및 취약성 관리 책임자