n8n Improper Authorization Vulnerability in Workflow Execution Stop Endpoint Allowing Unauthorized Termination of Workflows

A vulnerability exists in n8n versions prior to 1.99.1, specifically in the '/rest/executions/:id/stop' endpoint. This authorization flaw allows authenticated users to stop workflow executions that they do not own or that have not been shared with them. The issue can disrupt business operations, particularly for users running long or time-sensitive workflows. The vulnerability arises because this endpoint fails to enforce user-specific authorization, unlike most other API methods that manage access to execution IDs based on user ownership.

Impact

Exploitation of this vulnerability can lead to unauthorized termination of workflow executions, causing disruption to business processes that rely on n8n automations. This is particularly impactful for users with active or waiting workflows, as the unauthorized stoppage can interfere with critical tasks and deadlines.

Reproduction

The vulnerability can be reproduced by an authenticated user who sends a request to the '/rest/executions/:id/stop' endpoint with an execution ID that does not belong to them or has not been shared with them. This can be done by guessing or enumerating execution IDs, which are sequential and partially revealed through verbose error messages. Once the request is sent, the workflow execution will be stopped, regardless of the user's ownership or access rights.

Remediation

Users should upgrade to n8n version 1.99.1 or later, where this vulnerability has been patched. After upgrading, it is recommended to restrict access to the '/rest/executions/:id/stop' endpoint via reverse proxy or API gateway to prevent unauthorized users from terminating workflow executions.