Skip to main content

n8n CVE-2026-59257

| EUVDEUVD-2026-42269 MEDIUM
SQL Injection (CWE-89)
2026-07-08 disclosure@vulncheck.com GHSA-2qp2-6frj-p9pq
5.3
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.9 HIGH

AC:H reflects the required workflow configuration prerequisites (AT:P equivalent); scope change to MySQL database drives SC:H/SI:H; PR:N because externally-reachable Webhook requires no attacker credentials.

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:L

Primary rating from Vendor (vulncheck).

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 08, 2026 - 15:19 vuln.today
Patch available
Jul 08, 2026 - 15:01 EUVD

DescriptionCVE.org

n8n before 1.123.61, 2.x before 2.27.4, and 2.28.x before 2.28.1 contains a SQL injection vulnerability in the legacy MySQL v1 node's executeQuery operation. The operation substitutes evaluated {{ ... }} expression values directly into the raw SQL string without parameterization. When a workflow uses this operation with expression-sourced values and is connected to an externally-reachable trigger (such as a Webhook node), attacker-controlled input reaching those expressions results in SQL injection, allowing execution of arbitrary SQL with the configured MySQL credentials' privileges. The MySQL v2 node, which uses parameterized queries, is not affected.

AnalysisAI

SQL injection in n8n's legacy MySQL v1 node (executeQuery operation) exposes the connected MySQL database to arbitrary query execution when workflow expressions interpolate attacker-controlled input without parameterization. Versions before 1.123.61 (1.x branch), 2.27.4 (2.x branch), and 2.28.1 (2.28.x branch) are affected when workflows combine the MySQL v1 node with externally-reachable triggers such as a Webhook node. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify n8n instance with public Webhook endpoint
Delivery
Send crafted HTTP request with SQL injection payload
Exploit
n8n evaluates {{ ... }} expression and interpolates payload into raw SQL
Execution
MySQL v1 node executes injected SQL with configured credential privileges
Impact
Exfiltrate or modify connected database contents

Vulnerability AssessmentAI

Exploitation Exploitation requires all three of the following conditions simultaneously: (1) the target workflow must use the legacy MySQL v1 node's executeQuery operation specifically - the MySQL v2 node is not affected; (2) the SQL query in that node must incorporate one or more {{ ... … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 5.3 reflects a notable risk profile: AV:N and AC:L confirm network reachability and low complexity, but AT:P captures the essential prerequisite - the target workflow must explicitly use the MySQL v1 node with expression-interpolated values and be reachable via an external trigger. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies an n8n instance with a publicly accessible Webhook endpoint connected to a workflow that uses the MySQL v1 node's executeQuery operation with expression-sourced input. The attacker sends a crafted HTTP POST request to the Webhook URL with a SQL injection payload embedded in the expected request body field; n8n evaluates the {{ ... …
Remediation Upgrade n8n to version 1.123.61 or later (1.x branch), 2.27.4 or later (2.x branch), or 2.28.1 or later (2.28.x branch) as confirmed by the vendor advisory at https://github.com/n8n-io/n8n/security/advisories/GHSA-hwmj-qg4v-cvg9. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in N8n

View all
CVE-2026-21877 CRITICAL POC
9.9 Jan 08

n8n workflow automation (through 1.121.2) allows authenticated users to execute arbitrary code via the n8n service, with

CVE-2026-21858 CRITICAL POC
10.0 Jan 08

n8n workflow automation (1.65.0 to 1.121.0) allows unauthenticated file access through form-based workflows. A critical

CVE-2026-1470 CRITICAL POC
9.9 Jan 27

n8n has a fifth critical RCE vulnerability (CVSS 9.9) in the Expression evaluator, enabling code execution through craft

CVE-2026-33660 CRITICAL POC
9.4 Mar 25

An authenticated user with workflow creation or modification privileges in n8n workflow automation platform can exploit

CVE-2026-33665 HIGH POC
8.8 Mar 25

Authenticated n8n users can hijack administrator accounts when LDAP authentication is enabled by manipulating their LDAP

CVE-2023-27563 HIGH POC
8.8 May 10

The n8n package 0.218.0 for Node.js allows Escalation of Privileges. Rated high severity (CVSS 8.8), this vulnerability

CVE-2026-0863 HIGH POC
8.5 Jan 18

Authenticated users can exploit string formatting and exception handling in n8n's Python task executor to escape sandbox

CVE-2023-27564 HIGH POC
7.5 May 10

The n8n package 0.218.0 for Node.js allows Information Disclosure. Rated high severity (CVSS 7.5), this vulnerability is

CVE-2023-27562 MEDIUM POC
6.5 May 10

The n8n package 0.218.0 for Node.js allows Directory Traversal. Rated medium severity (CVSS 6.5), this vulnerability is

CVE-2026-33724 MEDIUM POC
6.3 Mar 25

n8n versions prior to 2.5.0 contain a critical SSH host key verification bypass in the Source Control feature that allow

CVE-2026-33720 MEDIUM POC
6.3 Mar 25

This vulnerability in n8n (an open-source workflow automation platform) is an authentication bypass in the OAuth callbac

CVE-2026-27577 CRITICAL
9.9 Feb 25

Additional expression evaluation exploits in n8n before 2.10.1/2.9.3/1.123.22. Fourth distinct code execution path throu

Share

CVE-2026-59257 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy