SQL injection in n8n - CVE-2026-33713
Published: April 23, 2026
Vulnerability identifier: #VU127210
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-33713
CWE-ID: CWE-89
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: n8n
Affected software:
n8n
n8n
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary SQL statements.
The vulnerability exists due to SQL injection in the Data Table Get node when processing an expression in the orderByColumn field. A remote user can supply a crafted orderByColumn expression to execute arbitrary SQL statements.
On PostgreSQL deployments, multi-statement execution is possible, enabling data modification and deletion. On the default SQLite database, the attack surface is more limited because only single statements can be manipulated.
How to mitigate CVE-2026-33713
Install security update from vendor's website.