GHSA-2vx9-7wpg-88jq — MEDIUM (CVSS 6.4)

Q: Is GHSA-2vx9-7wpg-88jq actively exploited?

No confirmed active exploitation of GHSA-2vx9-7wpg-88jq has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-2vx9-7wpg-88jq?

1. PATCH: Upgrade n8n to version 2.19.3 or 2.20.0 immediately — this is the only full remediation. 2. RESTRICT PERMISSIONS (interim): Revoke workflow creation and modification permissions from all users who do not strictly require them; treat this as a privileged operation. 3. NETWORK ISOLATION: Block direct access to the n8n REST API from untrusted network segments; place n8n behind a reverse proxy with authentication and IP allowlisting where possible. 4. AUDIT EXISTING WORKFLOWS: Search existing workflows for ExecuteWorkflow nodes using the localFile source option, particularly those referencing paths outside expected workflow directories. 5. DETECT: Monitor n8n REST API logs for POST/PATCH requests to workflow endpoints containing 'localFile' source parameters pointing to paths outside sanctioned directories. Alert on filesystem paths referencing /etc/, ~/.ssh/, .env, or similar sensitive locations. 6. ROTATE SECRETS: If n8n has access to AI API keys, database credentials, or cloud tokens, review whether any could have been exposed via filesystem enumeration and rotate as a precaution.

Q: What systems are affected by GHSA-2vx9-7wpg-88jq?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, Workflow automation and orchestration platforms, Multi-tool AI integration pipelines, RAG pipelines with external data connectors, LLM-connected automation systems.

Q: What is the CVSS score for GHSA-2vx9-7wpg-88jq?

GHSA-2vx9-7wpg-88jq has a CVSS v3.1 base score of 6.4 (MEDIUM).

CISO Take

n8n's ExecuteWorkflow node allows authenticated users to supply arbitrary file paths via the REST API, silently bypassing the N8N_RESTRICT_FILE_ACCESS_TO guardrail that is enforced only through the UI — enabling server-side filesystem enumeration and, where valid workflow JSON exists at the target path, arbitrary workflow execution against every downstream integration the platform touches. Although exploitation requires low-privilege authenticated access and the vulnerability carries no active KEV listing or public exploit, n8n functions as a central automation hub in many AI and data pipelines, so a single compromised or malicious internal account can cascade unauthorized actions across CRM, SIEM, cloud, and AI tool integrations without any further elevation. The localFile source option was removed from the UI in v1.2 but remains fully accessible through the REST API, creating a hidden attack surface that standard access reviews and UI-based audits will miss entirely — 84 prior CVEs in the same package signal a pattern of security debt worth prioritizing. Patch immediately to n8n 2.19.3 or 2.20.0; until then, revoke workflow creation permissions from all but fully trusted accounts and restrict direct REST API access to trusted network segments.

Sources: GitHub Advisory ATLAS OpenSSF

What is the risk?

MEDIUM-HIGH in AI agent and automation contexts. The CVSS base score of 6.4 understates operational risk for organizations using n8n as an AI workflow orchestrator. The Scope:Changed (S:C) modifier reflects cross-component blast radius: successful exploitation triggers actions on downstream systems connected to the loaded workflow, not just the n8n host. Exploitation requires only low-privilege authentication — a common posture for service accounts and developer users in automation platforms. No public exploit or CISA KEV listing currently exists, and EPSS data is unavailable, suggesting opportunistic exploitation is not yet occurring. However, the covert nature of the API-accessible localFile option (hidden from UI since v1.2 but never disabled) means this vector is unlikely to appear in standard security reviews, increasing dwell-time risk if exploited by a malicious insider or compromised account.

Attack Kill Chain

Initial Access

Attacker authenticates to n8n using a valid low-privilege account with workflow creation or modification permissions, either through insider access or a compromised service account.

AML.T0012

API Exploitation

Attacker crafts a REST API request targeting the ExecuteWorkflow node with a localFile parameter set to an arbitrary server path, bypassing the N8N_RESTRICT_FILE_ACCESS_TO restriction enforced only in the UI.

AML.T0049

Filesystem Enumeration

Server error response differences reveal whether arbitrary files exist at the supplied path, allowing the attacker to map sensitive files including credentials, environment variables, and workflow configuration files.

AML.T0037

Workflow Execution Impact

Attacker supplies the path of a discovered valid workflow JSON file; n8n loads and executes it, triggering unauthorized actions against all downstream integrations connected to that workflow — including data exfiltration, API calls, and cross-system writes.

AML.T0053

Initial Access

Attacker authenticates to n8n using a valid low-privilege account with workflow creation or modification permissions, either through insider access or a compromised service account.

AML.T0012

API Exploitation

Attacker crafts a REST API request targeting the ExecuteWorkflow node with a localFile parameter set to an arbitrary server path, bypassing the N8N_RESTRICT_FILE_ACCESS_TO restriction enforced only in the UI.

AML.T0049

Filesystem Enumeration

Server error response differences reveal whether arbitrary files exist at the supplied path, allowing the attacker to map sensitive files including credentials, environment variables, and workflow configuration files.

AML.T0037

Workflow Execution Impact

Attacker supplies the path of a discovered valid workflow JSON file; n8n loads and executes it, triggering unauthorized actions against all downstream integrations connected to that workflow — including data exfiltration, API calls, and cross-system writes.

AML.T0053

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	< 2.19.3	`2.19.3`
188.2K OpenSSF 6.1 16 dependents Pushed 3d ago 45% patched ~3d to patch Full package profile →

Do you use n8n? You're affected.

Severity & Risk

CVSS 3.1

6.4 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR Low

UI None

S Changed

C Low

I Low

A None

What should I do?

6 steps

PATCH

Upgrade n8n to version 2.19.3 or 2.20.0 immediately — this is the only full remediation.
RESTRICT PERMISSIONS (interim): Revoke workflow creation and modification permissions from all users who do not strictly require them; treat this as a privileged operation.
NETWORK ISOLATION

Block direct access to the n8n REST API from untrusted network segments; place n8n behind a reverse proxy with authentication and IP allowlisting where possible.
AUDIT EXISTING WORKFLOWS

Search existing workflows for ExecuteWorkflow nodes using the localFile source option, particularly those referencing paths outside expected workflow directories.
DETECT

Monitor n8n REST API logs for POST/PATCH requests to workflow endpoints containing 'localFile' source parameters pointing to paths outside sanctioned directories. Alert on filesystem paths referencing /etc/, ~/.ssh/, .env, or similar sensitive locations.
ROTATE SECRETS

If n8n has access to AI API keys, database credentials, or cloud tokens, review whether any could have been exposed via filesystem enumeration and rotate as a precaution.

Classification

Data Extraction Auth Bypass Code Execution Agent Framework Plugin AML.T0012 - Valid Accounts AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0086 - Exfiltration via AI Agent Tool Invocation

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.1.2 - Segregation of duties A.8.2 - AI system access control

NIST AI RMF

MANAGE 2.2 - Mechanisms to respond to AI risk

OWASP LLM Top 10

LLM08 - Excessive Agency

Frequently Asked Questions

What is GHSA-2vx9-7wpg-88jq?

n8n's ExecuteWorkflow node allows authenticated users to supply arbitrary file paths via the REST API, silently bypassing the N8N_RESTRICT_FILE_ACCESS_TO guardrail that is enforced only through the UI — enabling server-side filesystem enumeration and, where valid workflow JSON exists at the target path, arbitrary workflow execution against every downstream integration the platform touches. Although exploitation requires low-privilege authenticated access and the vulnerability carries no active KEV listing or public exploit, n8n functions as a central automation hub in many AI and data pipelines, so a single compromised or malicious internal account can cascade unauthorized actions across CRM, SIEM, cloud, and AI tool integrations without any further elevation. The localFile source option was removed from the UI in v1.2 but remains fully accessible through the REST API, creating a hidden attack surface that standard access reviews and UI-based audits will miss entirely — 84 prior CVEs in the same package signal a pattern of security debt worth prioritizing. Patch immediately to n8n 2.19.3 or 2.20.0; until then, revoke workflow creation permissions from all but fully trusted accounts and restrict direct REST API access to trusted network segments.

Is GHSA-2vx9-7wpg-88jq actively exploited?

No confirmed active exploitation of GHSA-2vx9-7wpg-88jq has been reported, but organizations should still patch proactively.

How to fix GHSA-2vx9-7wpg-88jq?

1. PATCH: Upgrade n8n to version 2.19.3 or 2.20.0 immediately — this is the only full remediation. 2. RESTRICT PERMISSIONS (interim): Revoke workflow creation and modification permissions from all users who do not strictly require them; treat this as a privileged operation. 3. NETWORK ISOLATION: Block direct access to the n8n REST API from untrusted network segments; place n8n behind a reverse proxy with authentication and IP allowlisting where possible. 4. AUDIT EXISTING WORKFLOWS: Search existing workflows for ExecuteWorkflow nodes using the localFile source option, particularly those referencing paths outside expected workflow directories. 5. DETECT: Monitor n8n REST API logs for POST/PATCH requests to workflow endpoints containing 'localFile' source parameters pointing to paths outside sanctioned directories. Alert on filesystem paths referencing /etc/, ~/.ssh/, .env, or similar sensitive locations. 6. ROTATE SECRETS: If n8n has access to AI API keys, database credentials, or cloud tokens, review whether any could have been exposed via filesystem enumeration and rotate as a precaution.

What systems are affected by GHSA-2vx9-7wpg-88jq?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, Workflow automation and orchestration platforms, Multi-tool AI integration pipelines, RAG pipelines with external data connectors, LLM-connected automation systems.

What is the CVSS score for GHSA-2vx9-7wpg-88jq?

GHSA-2vx9-7wpg-88jq has a CVSS v3.1 base score of 6.4 (MEDIUM).

Technical Details

NVD Description

## Impact The `ExecuteWorkflow` node's `localFile` source option read workflow files from disk without applying checks enforced by other file-reading nodes. An authenticated user with permission to create or modify workflows could supply an arbitrary file path via the REST API, bypassing the `N8N_RESTRICT_FILE_ACCESS_TO` restriction. This allowed the attacker to determine whether arbitrary files exist on the server host. Where the targeted path contained a valid workflow JSON file, the file could additionally be loaded and executed, potentially triggering actions on downstream systems connected to that workflow. The `localFile` source option is hidden from the n8n UI since v1.2 but remains accessible via the REST API. ## Patches The issue has been fixed in n8n version 2.20.0 or 2.19.3. Users should upgrade to this version or later to remediate the vulnerability. ## Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Restrict workflow creation and editing permissions to fully trusted users only. - Restrict network access to the n8n REST API to trusted users only. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Exploitation Scenario

A malicious insider or attacker with a compromised low-privilege n8n account crafts a REST API PATCH request to modify an existing workflow, inserting an ExecuteWorkflow node with localFile set to /opt/n8n/.env. The server checks whether the path exists and, through error response differences, the attacker confirms the file is present — leaking environment variable secrets including AI API keys and database credentials without reading file contents directly. The attacker then pivots: they enumerate the n8n workflow storage directory to find valid workflow JSON files, identify one that integrates with an S3 bucket and a Slack channel, and supply that path via localFile. The workflow executes under the platform's service account, exfiltrating data from the S3 bucket and posting it to an attacker-controlled Slack workspace via a modified webhook — all triggered through a single authenticated API call with no UI interaction required.