AI Threat Alert

CVE-2026-49465: n8n: Git node path traversal bypasses file sandbox

GHSA-5xp3-2w67-427v HIGH
Published June 16, 2026
CISO Take

n8n's built-in Git node accepts local filesystem paths as repository targets in Clone and Push operations, bypassing the N8N_RESTRICT_FILE_ACCESS_TO sandbox that is explicitly designed to prevent unauthorized file access. With CVSS 7.7 and Changed Scope (S:C), a single low-privileged workflow editor can read any local git repository accessible to the n8n process — including repos storing LLM API keys, vector database credentials, SSH keys, and proprietary AI pipeline code. Despite a low raw EPSS score, this vulnerability sits in the 90th EPSS percentile by exploitation likelihood, and n8n's 95 cumulative CVEs paired with a 6.5/10 OpenSSF Scorecard signal systemic security debt that threat actors are learning to exploit. Patch immediately to n8n 1.123.48, 2.21.8, or 2.22.4; if patching is blocked, add n8n-nodes-base.git to NODES_EXCLUDE and restrict workflow edit rights to fully trusted users only.

Sources: NVD EPSS GitHub Advisory ATLAS OpenSSF

What is the risk?

High risk for organizations using n8n in AI workflow automation environments. The CVSS:3.1 Changed Scope confirms impact extends beyond the n8n application boundary — the sandbox meant to contain file access is defeated entirely. Low Privileges Required (PR:L) and no user interaction needed (UI:N) mean any workflow editor is a viable threat actor, whether an external attacker with stolen credentials or a malicious insider. In AI/ML contexts, n8n commonly orchestrates pipelines connecting LLMs, vector stores, and model APIs, making exposed local repositories a high-value target for credential harvesting and IP theft. The 6.5/10 OpenSSF Scorecard and 95 cumulative CVEs in this package indicate a pattern of insufficient security controls that warrants heightened scrutiny.

How does the attack unfold?

Initial Access
Attacker authenticates to n8n using a valid low-privilege account that holds workflow creation or editing permissions.
AML.T0012
Tool Abuse
Attacker creates or modifies a workflow containing a Git node, supplying a local filesystem path (e.g., /opt/secrets/.git) as the Clone source repository instead of a legitimate remote URL.
AML.T0053
Sandbox Bypass
n8n executes the Git clone operation against the local path, circumventing the N8N_RESTRICT_FILE_ACCESS_TO restriction that would have blocked a direct file read to the same location.
AML.T0107
Data Exfiltration
Cloned repository contents — LLM API keys, database credentials, SSH keys, and AI pipeline configuration — are deposited into an allowed output directory and read by the attacker through standard workflow outputs.
AML.T0086

What systems are affected?

Package Ecosystem Vulnerable Range Patched
n8n npm < 1.123.48 1.123.48
192.4K OpenSSF 6.5 Pushed 2d ago 51% patched ~3d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1
7.7 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 10% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Changed
C High
I None
A None

What should I do?

5 steps

  1. Patch n8n immediately to 1.123.48 (v1 branch), 2.21.8, or 2.22.4 (v2 branch) or any later release.

  2. If patching is not immediately feasible: (a) set the environment variable NODES_EXCLUDE=n8n-nodes-base.git to disable the Git node entirely; (b) restrict workflow creation and editing permissions to fully trusted users only via n8n RBAC — treat any workflow editor as a privileged role until patched.

  3. Audit workflow execution logs for Git node usage with local (non-remote) paths in Clone or Push operations; any local path is a red flag.

  4. Review and rotate credentials stored in local git repositories on hosts running n8n.

  5. Apply least-privilege to the n8n process user account to minimize filesystem reach in case of exploitation.

How is it classified?

Data Extraction Auth Bypass Agent Plugin AML.T0012 AML.T0037 AML.T0053 AML.T0086 AML.T0107

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.9.5 - Security of AI systems
NIST AI RMF
MANAGE 2.4 - Risk Treatment and Monitoring
OWASP LLM Top 10
LLM06 - Excessive Agency LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-49465?

n8n's built-in Git node accepts local filesystem paths as repository targets in Clone and Push operations, bypassing the N8N_RESTRICT_FILE_ACCESS_TO sandbox that is explicitly designed to prevent unauthorized file access. With CVSS 7.7 and Changed Scope (S:C), a single low-privileged workflow editor can read any local git repository accessible to the n8n process — including repos storing LLM API keys, vector database credentials, SSH keys, and proprietary AI pipeline code. Despite a low raw EPSS score, this vulnerability sits in the 90th EPSS percentile by exploitation likelihood, and n8n's 95 cumulative CVEs paired with a 6.5/10 OpenSSF Scorecard signal systemic security debt that threat actors are learning to exploit. Patch immediately to n8n 1.123.48, 2.21.8, or 2.22.4; if patching is blocked, add n8n-nodes-base.git to NODES_EXCLUDE and restrict workflow edit rights to fully trusted users only.

Is CVE-2026-49465 actively exploited?

No confirmed active exploitation of CVE-2026-49465 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-49465?

1. Patch n8n immediately to 1.123.48 (v1 branch), 2.21.8, or 2.22.4 (v2 branch) or any later release. 2. If patching is not immediately feasible: (a) set the environment variable NODES_EXCLUDE=n8n-nodes-base.git to disable the Git node entirely; (b) restrict workflow creation and editing permissions to fully trusted users only via n8n RBAC — treat any workflow editor as a privileged role until patched. 3. Audit workflow execution logs for Git node usage with local (non-remote) paths in Clone or Push operations; any local path is a red flag. 4. Review and rotate credentials stored in local git repositories on hosts running n8n. 5. Apply least-privilege to the n8n process user account to minimize filesystem reach in case of exploitation.

What systems are affected by CVE-2026-49465?

This vulnerability affects the following AI/ML architecture patterns: AI agent workflow automation, LLM orchestration pipelines, AI/ML CI/CD pipelines, Multi-tool AI agent frameworks.

What is the CVSS score for CVE-2026-49465?

CVE-2026-49465 has a CVSS v3.1 base score of 7.7 (HIGH). The EPSS exploitation probability is 0.03%.

What is the AI security impact?

Affected AI Architectures

AI agent workflow automationLLM orchestration pipelinesAI/ML CI/CD pipelinesMulti-tool AI agent frameworks

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0037 Data from Local System
AML.T0053 AI Agent Tool Invocation
AML.T0086 Exfiltration via AI Agent Tool Invocation
AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.9.5
NIST AI RMF: MANAGE 2.4
OWASP LLM Top 10: LLM06, LLM07

What are the technical details?

Original Advisory

## Impact An authenticated user with permission to create or modify workflows could supply a local filesystem path as the source repository in the Git node's Clone operation, or as the target repository in the Push operation, bypassing the `N8N_RESTRICT_FILE_ACCESS_TO` file sandbox. This allowed the contents of any local git repository accessible to the n8n process to be cloned into an allowed path and read, circumventing the access restrictions that correctly blocked direct file reads to the same paths. ## Patches The issue has been fixed in n8n versions 1.123.48, 2.21.8, and 2.22.4. Users should upgrade to one of these versions or later to remediate the vulnerability. ## Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Limit workflow creation and editing permissions to fully trusted users only. - Disable the Git node by adding `n8n-nodes-base.git` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Exploitation Scenario

An adversary with a low-privilege n8n account that can create or edit workflows builds a new workflow containing a Git node configured with a local filesystem path — for example, /home/n8n-service/ai-configs or /opt/ai-pipeline/.git — as the Clone source instead of a remote URL. When the workflow executes, n8n clones the contents of that local repository into an allowed output directory, bypassing N8N_RESTRICT_FILE_ACCESS_TO controls that would have blocked a direct file read to the same paths. The attacker reads the extracted files through n8n's standard workflow output, harvesting LLM API keys, vector database credentials, or model configuration secrets stored in the local repo. These credentials then enable pivot attacks against the broader AI infrastructure — LLM APIs, fine-tuning pipelines, or vector stores — connected to the n8n automation platform.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

  • [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
  • [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

References

Timeline

Published
June 16, 2026
Last Modified
June 16, 2026
First Seen
June 16, 2026

Related Vulnerabilities

CRITICAL CVE-2026-33663 10.0

n8n: member role steals plaintext HTTP credentials

Same package: n8n
CRITICAL CVE-2026-33660 10.0

TensorFlow: type confusion NPD in tensor conversion

Same package: n8n
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same package: n8n
CRITICAL CVE-2026-27577 9.9

n8n: Code Injection enables RCE

Same package: n8n
CRITICAL CVE-2026-27494 9.9

n8n: security flaw enables exploitation

Same package: n8n
Back to Threat Feed