CVE-2026-56352
Received Received - Intake

File Path Bypass in n8n Workflow Execution

Vulnerability report for CVE-2026-56352, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-15

Last updated on: 2026-07-15

Assigner: VulnCheck

Description

n8n before 2.19.3 contains a file path restriction bypass in the legacy ExecuteWorkflow node's localFile source option, which reads workflow files from disk without the file-access checks enforced by other file-reading nodes. Although hidden from the UI since v1.2, it remains reachable via the REST API. An authenticated user with permission to create or modify workflows can supply an arbitrary file path to bypass the N8N_RESTRICT_FILE_ACCESS_TO restriction and determine whether arbitrary files exist on the host; where the targeted path contains a valid workflow JSON file, that file can additionally be loaded and executed.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-15
Last Modified
2026-07-15
Generated
2026-07-15
AI Q&A
2026-07-15
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
n8n n8n to 2.19.3 (exc)
n8n n8n to 2.20.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-56352 is a path traversal vulnerability in n8n versions before 2.19.3. It affects the legacy ExecuteWorkflow node's localFile source option, which bypasses file-access restrictions even though the feature is hidden in the UI. An authenticated user with workflow creation or modification permissions can exploit this to read arbitrary files on the host system by supplying a malicious file path, bypassing the N8N_RESTRICT_FILE_ACCESS_TO setting. If the targeted file is a valid workflow JSON file, it can also be loaded and executed.

Impact Analysis

This vulnerability allows an attacker with workflow permissions to read sensitive files on the server, check for file existence, and execute workflows from arbitrary files. This could lead to data breaches, unauthorized actions in connected systems, or further compromise of the host system.

Compliance Impact

This vulnerability could lead to unauthorized access to sensitive data, violating compliance requirements under GDPR (data protection) and HIPAA (health information privacy). It may result in data breaches, unauthorized processing, or exposure of regulated data, potentially leading to legal penalties and reputational damage.

Detection Guidance

Check n8n version with: n8n --version. If version is below 2.19.3, the system is vulnerable. Inspect workflows via REST API for ExecuteWorkflow nodes using localFile source with arbitrary paths. Monitor for unauthorized file reads or workflow executions in logs.

Mitigation Strategies

Upgrade n8n to version 2.19.3 or later immediately. Restrict workflow creation/modification permissions to trusted users. Limit REST API access to authorized personnel. Review and remove any existing workflows using the localFile source option.

Executive Summary

CVE-2026-56352 is a path traversal vulnerability in n8n versions before 2.19.3. It affects the legacy ExecuteWorkflow node's localFile source option, which bypasses file-access restrictions even though the feature is hidden in the UI. An authenticated user with workflow creation or modification permissions can exploit this to read arbitrary files on the host system by supplying a malicious file path, bypassing the N8N_RESTRICT_FILE_ACCESS_TO setting. If the targeted file is a valid workflow JSON file, it can also be loaded and executed.

Impact Analysis

This vulnerability allows an attacker with workflow permissions to read sensitive files on the server, check for file existence, and execute workflows from arbitrary files. This could lead to data breaches, unauthorized actions, or further system compromise if connected downstream systems are triggered.

Compliance Impact

This vulnerability could lead to unauthorized access to sensitive data, violating GDPR's data protection principles and HIPAA's security requirements. It may result in data breaches, unauthorized processing, or disclosure of protected health information, leading to legal penalties and compliance failures.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56352. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart