js · n8nHeads-up

n8n: POST /workflows/{workflowId}/test-runs/new permission misassignment

The POST /workflows/{workflowId}/test-runs/new endpoint was incorrectly using workflow:read permission instead of workflow:execute, allowing read-only users to

17 Jun 2026Read 1 minSeverity: schedule it

What changed

The POST /workflows/{workflowId}/test-runs/new endpoint was incorrectly using workflow:read permission instead of workflow:execute, allowing read-only users to trigger workflow execution.

Who it affects

Instances using the Evaluations feature with RBAC project roles where users have workflow:read but not workflow:execute access.

What to do today

Upgrade n8n to version 1.123.55, 2.25.7, or 2.26.2 or later. If immediate upgrade is not possible, restrict workflow access to fully trusted users and audit project role assignments.

The trail

Collected→ Audited→ Written→ Published

Source

GitHub Advisory · n8n

n8n: POST /workflows/{workflowId}/test-runs/new permission misassignment

What changed

Who it affects

What to do today

More on n8n

Hono: Encoded backslash path traversal on Windows

Hono AWS Lambda@Edge Adapter: Repeated Headers Truncated to Single Value