Main Vulnerability Database Vulnerabilities #VU131362

Path traversal in n8n - #VU131362

Published: May 13, 2026

Vulnerability identifier: #VU131362

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: n8n

Affected software:
n8n

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information and execute workflow-defined actions on downstream systems.

The vulnerability exists due to path traversal in the ExecuteWorkflow node localFile source option when handling REST API requests with user-supplied file paths. A remote user can supply an arbitrary file path to bypass file path restrictions to disclose sensitive information and execute workflow-defined actions on downstream systems.

The localFile source option is hidden from the UI but remains accessible through the REST API. Only files containing valid workflow JSON can be loaded and executed.

Remediation

Install security update from vendor's website.

Sources

https://github.com/n8n-io/n8n/security/advisories/GHSA-2vx9-7wpg-88jq

Path traversal in n8n - #VU131362

Detailed vulnerability description

Remediation

Sources

Please verify you're human