n8n: Git Node Clone and Push Operations Bypass File Sandbox

Vulnerability

In n8n, the Git node's Clone and Push operations accept local filesystem paths as source or target repository URLs, bypassing the N8N_RESTRICT_FILE_ACCESS_TO file sandbox [1][2]. This affects all versions prior to 1.123.48, 2.21.8, and 2.22.4. An authenticated user with permission to create or modify workflows can exploit this by providing a local path instead of a remote repository URL.

Exploitation

An attacker must have an authenticated n8n account with privileges to create or edit workflows. The attacker supplies a local filesystem path (e.g., /etc/git-repo) as the source repository in a Git Clone operation, or as the target repository in a Git Push operation. The n8n process then performs the operation using that local path, cloning the repository's contents into an allowed directory (or pushing from it), thereby reading the repository data.

Impact

Successful exploitation allows the attacker to read the contents of any local Git repository accessible to the n8n process, including sensitive data such as configuration files, secrets, or source code. This results in a confidentiality breach with no impact on integrity or availability. The CVSS 3.1 vector is AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N.

Mitigation

The issue is fixed in n8n versions 1.123.48, 2.21.8, and 2.22.4 [1][2]. Users should upgrade to one of these versions or later. If immediate upgrade is not possible, administrators can restrict workflow creation and editing permissions to fully trusted users, or disable the Git node by adding n8n-nodes-base.git to the NODES_EXCLUDE environment variable. These workarounds do not fully remediate the risk.