SQL Injection Vulnerability in n8n's MySQL v1 Node
CVE-2026-59257
What is CVE-2026-59257?
The legacy MySQL v1 node in n8n prior to version 1.123.61, and versions 2.x before 2.27.4 and 2.28.x before 2.28.1, is susceptible to SQL injection. This vulnerability arises from the executeQuery operation, which directly incorporates evaluated expression values into the SQL query without proper parameterization. When a workflow is executed using this operation and is connected to an externally-reachable trigger (like a Webhook node), it allows attacker-controlled input to manipulate underlying SQL commands. The impact of this vulnerability can lead to the execution of arbitrary SQL commands with the privileges of the configured MySQL credentials. It is important to note that the MySQL v2 node, which employs parameterized queries, is not affected.
Affected Version(s)
n8n 0 < 1.123.61
n8n 0 < 2.28.1
n8n 0 < 2.27.4
