Home

Description

n8n before version 2.4.0 contains a sql injection vulnerability in MySQL, PostgreSQL, and Microsoft SQL nodes that allows authenticated users to inject arbitrary SQL through unescaped identifier values in node configuration parameters. Attackers with workflow creation permissions can supply specially crafted table or column names to execute unauthorized database commands and compromise data integrity.

PUBLISHED Reserved 2026-06-20 | Published 2026-06-24 | Updated 2026-06-24 | Assigner VulnCheck




MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N
HIGH: 8.2CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

Problem types

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

Default status
unaffected

Any version before 2.4.0
affected

2.4.0 (semver)
unaffected

References

github.com/...io/n8n/security/advisories/GHSA-f3f2-mcxc-pwjx (GitHub Security Advisory (GHSA-f3f2-mcxc-pwjx)) vendor-advisory

www.vulncheck.com/...ysql-postgresql-and-microsoft-sql-nodes (VulnCheck Advisory: n8n - SQL Injection in MySQL, PostgreSQL, and Microsoft SQL Nodes) third-party-advisory

cve.org (CVE-2026-56351)

nvd.nist.gov (CVE-2026-56351)

Download JSON