Main Vulnerability Database Vulnerabilities #VU134561

SQL injection in n8n - CVE-2026-54310

Published: June 16, 2026

Vulnerability identifier: #VU134561

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-54310

CWE-ID: CWE-89

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: n8n

Affected software:
n8n

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary SQL commands against the connected database.

The vulnerability exists due to SQL injection in the TimescaleDB and legacy Postgres v1 nodes when processing crafted node parameters. A remote user can supply crafted parameters to execute arbitrary SQL commands against the connected database.

Exploitation requires permission to create or modify workflows, and injected SQL runs within the privileges of the configured database account.

How to mitigate CVE-2026-54310

Install security update from vendor's website.

Sources

https://github.com/n8n-io/n8n/security/advisories/GHSA-c37g-w77q-m4vp

SQL injection in n8n - CVE-2026-54310

Detailed vulnerability description

How to mitigate CVE-2026-54310

Sources

Please verify you're human