SQL Injection Vulnerability in n8n's MySQL v1 Node
CVE-2026-59257

5.3MEDIUM

Key Information:

Vendor

N8n

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-59257?

The legacy MySQL v1 node in n8n prior to version 1.123.61, and versions 2.x before 2.27.4 and 2.28.x before 2.28.1, is susceptible to SQL injection. This vulnerability arises from the executeQuery operation, which directly incorporates evaluated expression values into the SQL query without proper parameterization. When a workflow is executed using this operation and is connected to an externally-reachable trigger (like a Webhook node), it allows attacker-controlled input to manipulate underlying SQL commands. The impact of this vulnerability can lead to the execution of arbitrary SQL commands with the privileges of the configured MySQL credentials. It is important to note that the MySQL v2 node, which employs parameterized queries, is not affected.

Affected Version(s)

n8n 0 < 1.123.61

n8n 0 < 2.28.1

n8n 0 < 2.27.4

References

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.