GHSA-57g9-58c2-xjg3: n8n Has an Arbitrary File Read via Git Node
Summary
A vulnerability in n8n (a workflow automation tool) allows authenticated users with permission to create or modify workflows to read arbitrary files from the server by injecting malicious commands into the Git node's Push operation. This could potentially give an attacker complete control over the n8n server.
Solution / Mitigation
Upgrade to n8n versions 1.123.43, 2.20.7, or 2.22.1 or later. If upgrading immediately is not possible, temporarily limit workflow creation and editing permissions to trusted users only, or disable the Git node by adding `n8n-nodes-base.git` to the `NODES_EXCLUDE` environment variable (though these workarounds do not fully fix the risk and should only be used short-term).
Vulnerability Details
EPSS: 0.0%
Yes
May 14, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive
CVE-2025-54868: LibreChat is a ChatGPT clone with additional features. In versions 0.0.6 through 0.7.7-rc1, an exposed testing endpoint
Original source: https://github.com/advisories/GHSA-57g9-58c2-xjg3
First tracked: May 14, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 85%