PT-2026-60116 · N8N · N8N

Ylchen-007

·

Publicado

2026-07-15

·

Atualizado

2026-07-15

·

CVE-2026-56352

CVSS v3.1

6.4

Média

VetorAV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
n8n before 2.19.3 contains a file path restriction bypass in the legacy ExecuteWorkflow node's localFile source option, which reads workflow files from disk without the file-access checks enforced by other file-reading nodes. Although hidden from the UI since v1.2, it remains reachable via the REST API. An authenticated user with permission to create or modify workflows can supply an arbitrary file path to bypass the N8N RESTRICT FILE ACCESS TO restriction and determine whether arbitrary files exist on the host; where the targeted path contains a valid workflow JSON file, that file can additionally be loaded and executed.

Correção

Path traversal

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-56352

Produtos afetados

N8N