File Path Restriction Bypass in n8n by n8n.io
CVE-2026-56352

5.3MEDIUM

Key Information:

Vendor

N8n

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-56352?

An issue in n8n allows an authenticated user to bypass file access restrictions on workflow files. This vulnerability appears in the ExecuteWorkflow node's localFile source option, enabling users to supply arbitrary file paths. Although the related functionality is hidden from the user interface since version 1.2, it remains accessible via the REST API. This could allow attackers with permission to create or modify workflows to read and execute JSON files from arbitrary locations on the host, posing serious security risks.

Affected Version(s)

n8n 0 < 2.19.3

n8n 0 < 2.19.3

n8n 2.19.3

References

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

YLChen-007
.