Main Vulnerability Database Vulnerabilities #VU131357

SQL injection in n8n - CVE-2026-44792

Published: May 13, 2026

Vulnerability identifier: #VU131357

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-44792

CWE-ID: CWE-89

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: n8n

Affected software:
n8n

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary SQL commands on the internal PostgreSQL instance.

The vulnerability exists due to SQL injection in the Source Control pull import of Data Table JSON files when processing a crafted column name from a pulled repository. A remote attacker can commit a malicious Data Table JSON file and trigger execution during a Source Control Pull to execute arbitrary SQL commands on the internal PostgreSQL instance.

Exploitation requires the Source Control feature to be enabled, the instance to use PostgreSQL as its database backend, and an administrator to perform a Source Control Pull.

How to mitigate CVE-2026-44792

Install security update from vendor's website.

Sources

https://github.com/n8n-io/n8n/security/advisories/GHSA-mhrx-qhrj-673w

SQL injection in n8n - CVE-2026-44792

Detailed vulnerability description

How to mitigate CVE-2026-44792

Sources

Please verify you're human