SQL Injection Vulnerability in n8n Workflow Automation Platform
CVE-2026-27497

9.4CRITICAL

Key Information:

Vendor

N8n-io

Status
N8n
Vendor
CVE Published:
25 February 2026

What is CVE-2026-27497?

The n8n workflow automation platform has a SQL injection vulnerability that allows authenticated users to execute arbitrary code within the system. Specifically, individuals with permissions to create or modify workflows can misuse the Merge node's SQL query mode to execute unauthorized SQL commands. This exploit enables attackers to write arbitrary files on the n8n server, potentially leading to elevated privileges and further compromise. To mitigate the issue, users are advised to upgrade to the latest versions (2.10.1, 2.9.3, or 1.123.22) that have addressed this vulnerability. For immediate but temporary measures, limit workflow modification permissions to trusted users or disable the Merge node within the environment settings.

Affected Version(s)

n8n < 1.123.22 < 1.123.22

n8n >= 2.0.0, < 2.9.3 < 2.0.0, 2.9.3

n8n >= 2.10.0, < 2.10.1 < 2.10.0, 2.10.1

References

https://github.com/n8n-io/n8n/security/advisories/GHSA-wx...
x_refsource_CONFIRM
https://github.com/n8n-io/n8n/releases/tag/n8n@1.123.22
x_refsource_MISC
https://github.com/n8n-io/n8n/releases/tag/n8n@2.10.1
x_refsource_MISC

CVSS V4

Score:
9.4
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.