Which versions of n8n are affected by CVE-2026-44792?

CVE-2026-44792 is a SQL injection vulnerability in n8n's Source Control feature that enables attackers with git repository write access to execute arbitrary database commands against PostgreSQL…. A patch is available.

How to fix or mitigate CVE-2026-44792?

Within 24 hours: Identify all n8n instances using PostgreSQL backends with Source Control feature enabled and document current version numbers. Within 7 days: Apply vendor-released patches (n8n 1.x latest, 2.20.x latest, or 2.21.x latest patch version per vendor advisory). Within 30 days: Review git repository access controls and audit pull operation logs for suspicious Data Table JSON modifications; implement additional code review requirements for any Source Control changes before administrator approval.

n8n CVE-2026-44792

HIGH

SQL Injection (CWE-89)

2026-05-14 https://github.com/n8n-io/n8n

GHSA-mhrx-qhrj-673w

SQLi PostgreSQL

Lifecycle Timeline

Source Code Evidence Fetched

May 14, 2026 - 17:02 vuln.today

Analysis Generated

May 14, 2026 - 17:02 vuln.today

CVE Published

May 14, 2026 - 16:18 nvd

HIGH

DescriptionNVD

Impact

An attacker with write access to the git repository connected to an n8n Source Control configuration could commit a malicious Data Table JSON file containing a crafted column name. When an administrator performed a Source Control Pull, n8n imported the file and could lead to SQL injection on the internal PostgreSQL instance.

Exploitation requires all of the following conditions:

The n8n instance uses PostgreSQL as its database backend.
The Source Control feature is enabled and connected to a repository the attacker can write to.
An administrator triggers a Source Control Pull.

Patches

The issue has been fixed in n8n version 1.123.43, 2.20.7, and 2.21.1. Users should upgrade to this version or later to remediate the vulnerability.

Workarounds

If upgrading is not immediately possible, administrators should consider the following temporary mitigations:

Disable the Source Control feature if it is not actively required.
Restrict write access to the connected git repository to fully trusted users only.
Avoid pulling from repositories that may have been modified by untrusted parties.

These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

AnalysisAI

SQL injection in n8n's Source Control feature allows attackers with git repository write access to execute arbitrary SQL against the PostgreSQL backend when administrators pull malicious Data Table JSON files. The vulnerability requires a specific attack chain: attacker git repository access, Source Control feature enabled, PostgreSQL backend, and admin-triggered pull operation. …

RemediationAI

Within 24 hours: Identify all n8n instances using PostgreSQL backends with Source Control feature enabled and document current version numbers. Within 7 days: Apply vendor-released patches (n8n 1.x latest, 2.20.x latest, or 2.21.x latest patch version per vendor advisory). …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-44792 vulnerability details – vuln.today

Back