Skip to main content

n8n EUVDEUVD-2026-44625

| CVE-2026-56352 MEDIUM
Path Traversal (CWE-22)
2026-07-15 VulnCheck GHSA-w243-4jxf-88rr
5.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.4 MEDIUM

Network REST API access with low-privilege authenticated user; scope changes to downstream connected systems justify S:C; confidentiality and integrity impacts are limited to file disclosure and workflow execution respectively.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jul 15, 2026 - 13:03 EUVD
Source Code Evidence Fetched
Jul 15, 2026 - 12:38 vuln.today
Analysis Generated
Jul 15, 2026 - 12:38 vuln.today

DescriptionCVE.org

n8n before 2.19.3 contains a file path restriction bypass in the legacy ExecuteWorkflow node's localFile source option, which reads workflow files from disk without the file-access checks enforced by other file-reading nodes. Although hidden from the UI since v1.2, it remains reachable via the REST API. An authenticated user with permission to create or modify workflows can supply an arbitrary file path to bypass the N8N_RESTRICT_FILE_ACCESS_TO restriction and determine whether arbitrary files exist on the host; where the targeted path contains a valid workflow JSON file, that file can additionally be loaded and executed.

AnalysisAI

File path restriction bypass in n8n before 2.19.3 allows authenticated users with workflow creation or modification rights to circumvent the N8N_RESTRICT_FILE_ACCESS_TO security boundary via a legacy REST API code path, enabling arbitrary file existence disclosure on the host filesystem. Where a targeted path contains valid workflow JSON, that file can additionally be loaded and executed by the n8n engine, potentially triggering downstream actions on all systems connected to that workflow. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain authenticated n8n credentials with workflow permissions
Delivery
Send crafted REST API request to ExecuteWorkflow node
Exploit
Supply arbitrary file path via localFile source parameter
Install
Bypass N8N_RESTRICT_FILE_ACCESS_TO restriction
C2
Enumerate sensitive file existence via differential error responses
Execute
Identify valid workflow JSON on host filesystem
Impact
Load and execute target workflow to trigger downstream system actions

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated n8n account with permission to create or modify workflows - unauthenticated attackers and accounts without workflow permissions cannot reach the vulnerable code path. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 5.3 (Medium) appropriately reflects the authenticated barrier (PR:L), which meaningfully limits the exploitable population to users who already have workflow creation or modification rights. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated n8n user with workflow modification rights bypasses the UI entirely and issues a crafted REST API request targeting the ExecuteWorkflow node with an arbitrary file path supplied via the localFile source parameter - for example pointing at /etc/passwd or application credential files - and infers file existence from the differing error responses returned by the server. If the attacker discovers a path containing valid workflow JSON (such as an exported workflow from another tenant or a sensitive automation definition stored on the host), they trigger a second request to load and execute that file, causing the n8n engine to run the workflow and invoke all downstream integrations it references, such as database queries, webhook calls, or cloud API operations.
Remediation The primary remediation is to upgrade n8n to version 2.19.3 or 2.20.0 (or any later release), as confirmed by the vendor in GHSA-2vx9-7wpg-88jq (https://github.com/n8n-io/n8n/security/advisories/GHSA-2vx9-7wpg-88jq). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in N8n

View all
CVE-2026-21877 CRITICAL POC
9.9 Jan 08

n8n workflow automation (through 1.121.2) allows authenticated users to execute arbitrary code via the n8n service, with

CVE-2026-21858 CRITICAL POC
10.0 Jan 08

n8n workflow automation (1.65.0 to 1.121.0) allows unauthenticated file access through form-based workflows. A critical

CVE-2026-1470 CRITICAL POC
9.9 Jan 27

n8n has a fifth critical RCE vulnerability (CVSS 9.9) in the Expression evaluator, enabling code execution through craft

CVE-2026-33660 CRITICAL POC
9.4 Mar 25

An authenticated user with workflow creation or modification privileges in n8n workflow automation platform can exploit

CVE-2026-33665 HIGH POC
8.8 Mar 25

Authenticated n8n users can hijack administrator accounts when LDAP authentication is enabled by manipulating their LDAP

CVE-2023-27563 HIGH POC
8.8 May 10

The n8n package 0.218.0 for Node.js allows Escalation of Privileges. Rated high severity (CVSS 8.8), this vulnerability

CVE-2026-0863 HIGH POC
8.5 Jan 18

Authenticated users can exploit string formatting and exception handling in n8n's Python task executor to escape sandbox

CVE-2023-27564 HIGH POC
7.5 May 10

The n8n package 0.218.0 for Node.js allows Information Disclosure. Rated high severity (CVSS 7.5), this vulnerability is

CVE-2023-27562 MEDIUM POC
6.5 May 10

The n8n package 0.218.0 for Node.js allows Directory Traversal. Rated medium severity (CVSS 6.5), this vulnerability is

CVE-2026-33724 MEDIUM POC
6.3 Mar 25

n8n versions prior to 2.5.0 contain a critical SSH host key verification bypass in the Source Control feature that allow

CVE-2026-33720 MEDIUM POC
6.3 Mar 25

This vulnerability in n8n (an open-source workflow automation platform) is an authentication bypass in the OAuth callbac

CVE-2026-27577 CRITICAL
9.9 Feb 25

Additional expression evaluation exploits in n8n before 2.10.1/2.9.3/1.123.22. Fourth distinct code execution path throu

Share

EUVD-2026-44625 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy