File Path Restriction Bypass in n8n by n8n.io
CVE-2026-56352
5.3MEDIUM
What is CVE-2026-56352?
An issue in n8n allows an authenticated user to bypass file access restrictions on workflow files. This vulnerability appears in the ExecuteWorkflow node's localFile source option, enabling users to supply arbitrary file paths. Although the related functionality is hidden from the user interface since version 1.2, it remains accessible via the REST API. This could allow attackers with permission to create or modify workflows to read and execute JSON files from arbitrary locations on the host, posing serious security risks.
Affected Version(s)
n8n 0 < 2.19.3
n8n 0 < 2.19.3
n8n 2.19.3
