CVE-2026-56352 PUBLISHED

n8n - Arbitrary File Read and Execution via ExecuteWorkflow localFile Parameter

Assigner: VulnCheck
Reserved: 20.06.2026 Published: 15.07.2026 Updated: 15.07.2026

n8n before 2.19.3 contains a file path restriction bypass in the legacy ExecuteWorkflow node's localFile source option, which reads workflow files from disk without the file-access checks enforced by other file-reading nodes. Although hidden from the UI since v1.2, it remains reachable via the REST API. An authenticated user with permission to create or modify workflows can supply an arbitrary file path to bypass the N8N_RESTRICT_FILE_ACCESS_TO restriction and determine whether arbitrary files exist on the host; where the targeted path contains a valid workflow JSON file, that file can additionally be loaded and executed.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
CVSS Score: 5.3

Product Status

Vendor n8n
Product n8n
Versions Default: unaffected
  • affected from 0 to 2.19.3 (excl.)
  • Version 2.19.3 is unaffected
Vendor n8n
Product n8n
Versions Default: unaffected
  • affected from 0 to 2.19.3 (excl.)
  • Version 2.19.3 is unaffected

Credits

  • YLChen-007 reporter

References

Problem Types

  • Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE