SQL injection in n8n - #VU135228

 

SQL injection in n8n - #VU135228

Published: June 25, 2026


Vulnerability identifier: #VU135228
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: N/A
CWE-ID: CWE-89
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: n8n
Affected software:
n8n

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary SQL commands.

The vulnerability exists due to improper neutralization of special elements used in an SQL command in the MySQL v1 node executeQuery operation when processing expression-sourced values in raw SQL queries. A remote attacker can supply crafted input through an externally reachable trigger to execute arbitrary SQL commands.

This issue affects only workflows that use the MySQL v1 node with the executeQuery operation, and exploitation requires attacker-controlled input to reach interpolated {{ ... }} expressions.


Remediation

Install security update from vendor's website.

Sources